INSIGHT-MVP/config/traefik/dynamic/middlewares.yml

# ============================================================
# Traefik - Globale Middlewares
# ============================================================

http:
  middlewares:
    # Security-Headers fuer alle Responses
    security-headers:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        customFrameOptionsValue: "SAMEORIGIN"
        referrerPolicy: "strict-origin-when-cross-origin"
        contentSecurityPolicy: >-
          default-src 'self';
          script-src 'self' 'unsafe-inline';
          style-src 'self' 'unsafe-inline';
          img-src 'self' data: blob:;
          font-src 'self';
          connect-src 'self' ws://172.20.10.59;
          frame-ancestors 'self';

    # CORS fuer API
    cors-api:
      headers:
        accessControlAllowMethods:
          - GET
          - POST
          - PUT
          - PATCH
          - DELETE
          - OPTIONS
        accessControlAllowHeaders:
          - Content-Type
          - Authorization
          - X-Tenant-ID
          - X-Request-ID
        accessControlAllowOriginList:
          - "http://172.20.10.59"
        accessControlMaxAge: 86400
        accessControlAllowCredentials: true
        addVaryHeader: true

    # Kompression
    gzip-compress:
      compress:
        excludedContentTypes:
          - text/event-stream