Get More Secure Websites From Your Traefik Configuration using Mozilla's Observatory

I share my Traefik configuration of secure http headers for getting high ratings with Mozilla Observatory.

Thanks to /u/TrollW00t on Reddit for bringing Mozilla Observatory to my attention. In a previous article I talked about improved  security ratings from Qualys SSL Labs, but I did not go far enough!

My rating for simplecto.com from Mozilla Observatory was an F!

The creators of Firefox certainly know a lot about browser security, so their Observatory app is a welcome tool. Here we will go step-by step and outline the changes to my config that took it from F to a B.

A ratings are possible but only with Content-Security-Policy, but that can wait for another post.

Mozilla Observatory's 11 tests

Below are the secure headers settings I use now in my deployments:

# Adding in secure headers
- traefik.http.middlewares.securedheaders.headers.forcestsheader=true
- traefik.http.middlewares.securedheaders.headers.sslRedirect=true
- traefik.http.middlewares.securedheaders.headers.STSPreload=true
- traefik.http.middlewares.securedheaders.headers.ContentTypeNosniff=true
- traefik.http.middlewares.securedheaders.headers.BrowserXssFilter=true
- traefik.http.middlewares.securedheaders.headers.STSIncludeSubdomains=true
- traefik.http.middlewares.securedheaders.headers.stsSeconds=63072000
- traefik.http.middlewares.securedheaders.headers.frameDeny=true
- traefik.http.middlewares.securedheaders.headers.browserXssFilter=true
- traefik.http.middlewares.securedheaders.headers.contentTypeNosniff=true

The settings above instruct the browser to make it harder for XSS attacks, SSL downgrade attacks, and prevent the iFrame-ing of content into other pages.

Subscribe to Candid and colorful thoughts on enterprise readiness

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe