From 8524cc75d66025e41d06b815e683f5a81c5caef6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A1bio=20C=2E=20Barrionuevo=20da=20Luz?=
 <bnafta@gmail.com>
Date: Mon, 4 Sep 2023 10:49:07 -0300
Subject: [PATCH] Add safe security headers (#1121)

This pull-request add/changes the HTTP headers to include
safe defaults to Caddy and get the A+ score on
the https://observatory.mozilla.org/ test
---
 .../getting-started-with-zitadel.sh           | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/infrastructure_files/getting-started-with-zitadel.sh b/infrastructure_files/getting-started-with-zitadel.sh
index 74f9b6398..d00c2719c 100644
--- a/infrastructure_files/getting-started-with-zitadel.sh
+++ b/infrastructure_files/getting-started-with-zitadel.sh
@@ -487,7 +487,48 @@ renderCaddyfile() {
   }
 }
 
+(security_headers) {
+    header * {
+        # enable HSTS
+        # https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#strict-transport-security-hsts
+        # NOTE: Read carefully how this header works before using it.
+        # If the HSTS header is misconfigured or if there is a problem with
+        # the SSL/TLS certificate being used, legitimate users might be unable
+        # to access the website. For example, if the HSTS header is set to a
+        # very long duration and the SSL/TLS certificate expires or is revoked,
+        # legitimate users might be unable to access the website until
+        # the HSTS header duration has expired.
+        # The recommended value for the max-age is 2 year (63072000 seconds).
+        # But we are using 1 hour (3600 seconds) for testing purposes
+        # and ensure that the website is working properly before setting
+        # to two years.
+
+        Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
+
+        # disable clients from sniffing the media type
+        # https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options
+        X-Content-Type-Options "nosniff"
+
+        # clickjacking protection
+        # https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-frame-options
+        X-Frame-Options "DENY"
+
+        # xss protection
+        # https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
+        X-XSS-Protection "1; mode=block"
+
+        # Remove -Server header, which is an information leak
+        # Remove Caddy from Headers
+        -Server
+
+        # keep referrer data off of HTTP connections
+        # https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#referrer-policy
+        Referrer-Policy strict-origin-when-cross-origin
+    }
+}
+
 :80${CADDY_SECURE_DOMAIN} {
+    import security_headers
     # Signal
     reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
     # Management