From cf3b060f313df1c0c6f26f200a7427e635aae3c4 Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Fri, 3 Jan 2025 14:59:40 +0100 Subject: [PATCH] merge upstream changes --- Caddyfile | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/Caddyfile b/Caddyfile index c415e3a..764d84d 100644 --- a/Caddyfile +++ b/Caddyfile @@ -33,20 +33,21 @@ encode zstd gzip path /stats/checker } -@static { - path /static/* +@search { + path /search } @imageproxy { path /image_proxy } -header { - # Force clients to use HTTPS - Strict-Transport-Security "max-age=31536000" +@static { + path /static/* +} - # Prevent MIME type sniffing from the declared Content-Type - X-Content-Type-Options "nosniff" +header { + # CSP (https://content-security-policy.com) + Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src * data:; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com;" # Disable some browser features Permissions-Policy "accelerometer=(),camera=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),payment=(),usb=()" @@ -54,6 +55,12 @@ header { # Set referrer policy Referrer-Policy "no-referrer" + # Force clients to use HTTPS + Strict-Transport-Security "max-age=31536000" + + # Prevent MIME type sniffing from the declared Content-Type + X-Content-Type-Options "nosniff" + # X-Robots-Tag (comment to allow site indexing) X-Robots-Tag "noindex, noarchive, nofollow" @@ -67,13 +74,11 @@ header @api { } route { - # Caching - header Cache-Control "no-cache, no-store" - header @static Cache-Control "public, max-age=31536000" - - # CSP (https://content-security-policy.com) - header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" - header @imageproxy Content-Security-Policy "default-src 'none'; img-src 'self' data:" + # Cache policy + header Cache-Control "max-age=0, no-store" + header @search Cache-Control "max-age=5, private" + header @imageproxy Cache-Control "max-age=604800, public" + header @static Cache-Control "max-age=31536000, public, immutable" } # SearXNG (uWSGI)