From e23155d3d71cca1cae257fbe42bbd86a11efdd88 Mon Sep 17 00:00:00 2001
From: Jan Beilicke <dev@jotbe.io>
Date: Sat, 4 Apr 2020 23:04:53 +0200
Subject: [PATCH] Set HTTP security headers

---
 templates/docker-compose.jitsi.yml.j2 | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/templates/docker-compose.jitsi.yml.j2 b/templates/docker-compose.jitsi.yml.j2
index dae8cfa..f47f56d 100644
--- a/templates/docker-compose.jitsi.yml.j2
+++ b/templates/docker-compose.jitsi.yml.j2
@@ -45,6 +45,16 @@ services:
               - "traefik.http.routers.jitsi.entrypoints=websecure"
               - "traefik.http.routers.jitsi.tls=true"
               - "traefik.http.routers.jitsi.tls.certresolver=defaultresolver"
+              - "traefik.http.middlewares.jitsi-headers.headers.SSLRedirect=true"
+              - "traefik.http.middlewares.jitsi-headers.headers.browserXSSFilter=true"
+              - "traefik.http.middlewares.jitsi-headers.headers.contentTypeNosniff=true"
+              - "traefik.http.middlewares.jitsi-headers.headers.forceSTSHeader=true"
+              - "traefik.http.middlewares.jitsi-headers.headers.STSSeconds=315360000"
+              - "traefik.http.middlewares.jitsi-headers.headers.STSIncludeSubdomains=true"
+              - "traefik.http.middlewares.jitsi-headers.headers.STSPreload=true"
+              - "traefik.http.middlewares.jitsi-headers.headers.featurePolicy=geolocation 'none'; payment 'none'"
+              - "traefik.http.middlewares.jitsi-headers.headers.contentSecurityPolicy=default-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content"
+              - "traefik.http.routers.jitsi.middlewares=jitsi-headers"
         networks:
             public:
             meet.jitsi: