Superheader is a plugin for Traefik that adds the necessary headers to responses to help secure web applications.
The headers set are adhere to the recommendations of the OWASP Secure Headers Project https://owasp.org/www-project-secure-headers/
For a plugin to be active for a given Traefik instance, it must be declared in the static configuration.
experimental:plugins:superheader:moduleName: "github.com/mridang/traefik-superheader"version: "v1.0.0"
http:routers:my-router:rule: "Host(`example.com`)"entryPoints:- webmiddlewares:- my-middleware # Apply the middleware to the routermiddlewares:superheader:plugin:superheader:x-frame-options: DENYx-dns-prefetch-control: offx-content-type-options: nosniffstrict-transport-security: max-age=31536000; includeSubDomainsreferrer-policy: no-referrerx-xss-protection: 1; mode=blockcross-origin-opener-policy: same-origincross-origin-embedder-policy: require-corpcross-origin-resource-policy: same-originorigin-agent-cluster: ?1x-permitted-cross-domain-policies: master-onlyremove-powered-by: on
This example shows you how to load and configure the plugin using the command-line arguments.
traefik \--entryPoints.web.address=:80 \--providers.file.filename=traefik.yml \--experimental.plugins.superheader.moduleName=github.com/mridang/traefik-superheader \--experimental.plugins.superheader.version=v0.1.0 \--http.middlewares.superheader.plugin.superheader.x-frame-options=DENY \--http.middlewares.superheader.plugin.superheader.x-dns-prefetch-control=off \--http.middlewares.superheader.plugin.superheader.x-content-type-options=nosniff \--http.middlewares.superheader.plugin.superheader.strict-transport-security="max-age=31536000; includeSubDomains" \--http.middlewares.superheader.plugin.superheader.referrer-policy=no-referrer \--http.middlewares.superheader.plugin.superheader.x-xss-protection="1; mode=block" \--http.middlewares.superheader.plugin.superheader.cross-origin-opener-policy=same-origin \--http.middlewares.superheader.plugin.superheader.cross-origin-embedder-policy=require-corp \--http.middlewares.superheader.plugin.superheader.cross-origin-resource-policy=same-origin \--http.middlewares.superheader.plugin.superheader.origin-agent-cluster="?1" \--http.middlewares.superheader.plugin.superheader.x-permitted-cross-domain-policies=master-only \--http.middlewares.superheader.plugin.superheader.remove-powered-by=on
services:traefik:image: traefik:3.3.3ports:- "7080:80"- "9080:8080"command:- --api.dashboard=false- --api.insecure=false- --log.level=DEBUG- --providers.docker=true- --entrypoints.web.address=:80- --entrypoints.websecure.address=:443- --experimental.plugins.superheader.moduleName=mridang/traefik-superheadervolumes:- '/var/run/docker.sock:/var/run/docker.sock'labels:- traefik.enable=true- traefik.http.services.traefik.loadbalancer.server.port=8080# A sample service that uses the middleware with the defaultsfoo:image: traefik/whoamilabels:- traefik.enable=true- traefik.http.routers.foo.rule=PathPrefix(`/foo`)- traefik.http.routers.foo.middlewares=superheader- traefik.http.routers.foo.entrypoints=websecure# A sample service that uses the middleware with custom optionsbar:image: traefik/whoamilabels:- traefik.enable=true- traefik.http.routers.bar.rule=PathPrefix(`/bar`)- traefik.http.routers.bar.middlewares=superheader- traefik.http.middlewares.superheader.plugin.superheader.x-frame-options="DENY"- traefik.http.routers.bar.entrypoints=websecure# A sample service that does not use the middleware at allbaz:image: traefik/whoamilabels:- traefik.enable=true- traefik.http.routers.baz.rule=PathPrefix(`/baz`)- traefik.http.routers.baz.entrypoints=web
The middleware exposes a few options to allow customising the behaviour. To make it harder to misconfigure the plugin all the keys and values are lowercased. All the values are case-insensitive.
This header can be configured by the "x-frame-options" header to control whether
a browser should be allowed to render a page in a <frame>, <iframe>,
<embed>, or <object>.
The valid values are as follows:
deny: Prevents any domain from framing the content. (Default)sameorigin: Allows the same domain to frame the content.For more information, visit: MDN: X-Frame-Options
This header can be configured by the "x-dns-prefetch-control" header to control DNS prefetching.
The valid values are as follows:
on: Enables DNS prefetching. (Default)off: Disables the setting of the headerFor more information, visit: MDN: X-DNS-Prefetch-Control
This header can be configured by the "x-content-type-options" header to tell the browser to not sniff the MIME type of the content.
The valid values are as follows:
on: Prevents browsers from attempting to infer the MIME type. (Default)off: Disables the setting of the headerFor more information, visit: MDN: X-Content-Type-Options
This header can be configured by the "strict-transport-security" header to enforce secure (HTTPS) connections to the server.
The valid values are as follows:
on: Enforces HTTPS for the specified duration and includes all subdomains. (Default)off: Disables the setting of the headerFor more information, visit: MDN: Strict-Transport-Security
This header can be configured by the "referrer-policy" header to control how much referrer information should be included with requests.
The valid values are as follows:
on | no-referrer: No referrer information is sent. (Default)no-referrer-when-downgrade: Referrer is sent for same-origin requests,
but not for cross-origin requests to HTTP.origin: Only the origin is sent as the referrer.origin-when-cross-origin: Sends the full URL as referrer for same-origin
requests and only the origin for cross-origin.same-origin: Sends the full URL as referrer only for same-origin requests.strict-origin: Only the origin is sent as referrer for same-origin
requests.strict-origin-when-cross-origin: Sends the origin as referrer for
same-origin requests, and the origin for cross-origin requests.unsafe-url: Always sends the full URL as referrer.off: Disables the setting of the headerFor more information, visit: MDN: Referrer-Policy
This header can be configured by the "x-xss-protection" header to enable or disable cross-site scripting (XSS) filters built into most modern browsers.
The valid values are as follows:
on: Enables the XSS filter. (Default)block: Enables the XSS filter and blocks the page if an attack
is detected.off: Disables the XSS filter.For more information, visit: MDN: X-XSS-Protection
This header can be configured by the "cross-origin-opener-policy" header to control the interaction between the browsing context (window or tab) and other contexts (e.g., windows or tabs from other origins).
The valid values are as follows:
on | same-origin: Only allows interactions with the same-origin windows.unsafe-none: Allows all interactions with other contexts.same-origin-allow-popups: Allows same-origin windows to interact with
the opener, but blocks cross-origin ones.noopener-allow-popups: Allows interaction with popups, but blocks other
contexts.off: Disables the setting of the headerFor more information, visit: MDN: Cross-Origin-Opener-Policy
This header can be configured by the "cross-origin-embedder-policy" header to control the resources that can be embedded by a document.
The valid values are as follows:
on | require-corp: Requires cross-origin resources to be explicitly marked
as permissive. (Default)unsafe-none: Allows all cross-origin resources to be embedded.credentialless: Requires cross-origin resources to allow for credentials
to be omitted.off: Disables the setting of the headerFor more information, visit: MDN: Cross-Origin-Embedder-Policy
This header can be configured by the "cross-origin-resource-policy" header to control the cross-origin requests that a resource can make.
The valid values are as follows:
on | same-origin: Only allows requests from the same origin. (Default)same-site: Allows requests from the same site.cross-origin: Allows all cross-origin requests.off: Disables the setting of the headerFor more information, visit: MDN: Cross-Origin-Resource-Policy
This header can be configured by the "origin-agent-cluster" header to allow for isolating resources by user agent.
The valid values are as follows:
on: Enables origin agent clustering.off: Disables the setting of the headerFor more information, visit: MDN: Origin-Agent-Cluster
This header can be configured by the "x-permitted-cross-domain-policies" header to control the permissible cross-domain policies.
The valid values are as follows:
none: No cross-domain policies are allowed.master-only: Only the master policy is allowed.by-content-type: Policies can be defined by content type.by-ftp-filename: Policies can be defined by FTP filename.all: All cross-domain policies are allowed.none-this-response: No policies are allowed for the current response.off: Disables the setting of the headerFor more information, visit: MDN: X-Permitted-Cross-Domain-Policies
The OWASP guidelines recommend the removal of certain headers to prevent information disclosure. This feature can be toggled.
The valid values are as follows:
on: Removes the sensitive headers.off: Disabled the removal of headersFor more information, visit: OWASP: Remove Headers
None.
Contributions are welcome! If you find a bug or have suggestions for improvement, please open an issue or submit a pull request.
Apache License 2.0 © 2024 Mridang Agarwalla