Get More Secure Websites From Your Traefik Configuration using Mozilla's Observatory

Thanks to /u/TrollW00t on Reddit for bringing Mozilla Observatory to my attention. In a previous article I talked about improved  security ratings from Qualys SSL Labs, but I did not go far enough!

My rating for simplecto.com from Mozilla Observatory was an F!

The creators of Firefox certainly know a lot about browser security, so their Observatory app is a welcome tool. Here we will go step-by step and outline the changes to my config that took it from F to a B.

A ratings are possible but only with Content-Security-Policy, but that can wait for another post.

Mozilla Observatory's 11 tests

Below are the secure headers settings I use now in my deployments:

# Adding in secure headers
- traefik.http.middlewares.securedheaders.headers.forcestsheader=true
- traefik.http.middlewares.securedheaders.headers.sslRedirect=true
- traefik.http.middlewares.securedheaders.headers.STSPreload=true
- traefik.http.middlewares.securedheaders.headers.ContentTypeNosniff=true
- traefik.http.middlewares.securedheaders.headers.BrowserXssFilter=true
- traefik.http.middlewares.securedheaders.headers.STSIncludeSubdomains=true
- traefik.http.middlewares.securedheaders.headers.stsSeconds=63072000
- traefik.http.middlewares.securedheaders.headers.frameDeny=true
- traefik.http.middlewares.securedheaders.headers.browserXssFilter=true
- traefik.http.middlewares.securedheaders.headers.contentTypeNosniff=true

The settings above instruct the browser to make it harder for XSS attacks, SSL downgrade attacks, and prevent the iFrame-ing of content into other pages.