[tls.options] [tls.options.tls12] minVersion = "VersionTLS12" cipherSuites = [ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ] curvePreferences = ["CurveP521", "CurveP384", "CurveP256"] [http] [http.middlewares.hardening.headers] browserXssFilter = true contentTypeNosniff = true forceSTSHeader = true frameDeny = true stsIncludeSubdomains = true stsPreload = true customFrameOptionsValue = "SAMEORIGIN" referrerPolicy = "same-origin" featurePolicy = "vibrate 'self'" stsSeconds = 315360000 [http.middlewares.compression.compress] excludedContentTypes = ["text/event-stream"] [http.middlewares.allowFrameAndCORS.headers] contentSecurityPolicy = "frame-ancestors *" accessControlAllowHeaders = ["*"] accessControlAllowMethods = ["GET", "POST", "OPTIONS"] accessControlAllowOriginList = ["*"] accessControlExposeHeaders = ["*"]