# https://hackviser.com/tactics/hardening/caddy
{
	auto_https disable_redirects

	# Do not write access logs to journald.
	log {
		exclude http.log.access
	}

	# Write access logs to the logs volume in json
	# format. Only keep logs for the last 30 days.
	log access {
		format json
		output file /data/logs/access.log {
			roll_keep_for 720h
		}
	}
}

# Block with default http config that accepts requests on
# fd/3 and redirects to https.
(https-redir) {
	bind fd/3 {
		protocols h1
	}
	redir https://{host}{uri} 308
}

# Block with default https config that accepts requests on
# fd/4 and fdgram/5.
(https) {
	bind fd/4 {
		protocols h1 h2
	}
	bind fdgram/5 {
		protocols h3
	}
}

# Block with compression configuration.
(compression) {
	encode zstd gzip
}

# Block with headers that should be used by most
# sites. Add HSTS and some other security headers.
# Remove the server header because without it caddy
# leaks the backend server version.
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://scotthelme.co.uk/content-security-policy-an-introduction/
(default-headers) {
	header {
		Strict-Transport-Security max-age=31536000; includeSubDomains; preload
		X-Content-Type-Options nosniff
		X-Frame-Options sameorigin
		Content-Security-Policy default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline';
		Referrer-Policy: same-origin
		-Server
		-X-Powered-By
	}
}

import *.caddy