feat: add secure default headers to websecure

clusters/home/apps/network/traefik/addons/middleware.yml

@@ -0,0 +1,37 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: secure-headers-middleware
+  namespace: traefik-system
+spec:
+  headers:
+    browserXssFilter: true
+    contentTypeNosniff: true
+    frameDeny: true
+    sslRedirect: true
+    forceSTSHeader: true
+    stsIncludeSubdomains: true
+    stsPreload: true
+    stsSeconds: 315360000
+    contentSecurityPolicy: |
+      default-src 'none';
+      style-src 'none';
+      form-action 'none';
+      frame-ancestors 'none';
+      script-src 'strict-dynamic' 'nonce-rAnd0m123' 'unsafe-inline' http: https:;
+      object-src 'none';
+      base-uri 'none';
+      require-trusted-types-for 'script';
+    accessControlAllowMethods:
+      - "GET"
+      - "POST"
+    accessControlAllowOriginListRegex:
+      - "^(.+)\\.layertwo\\.dev$"
+    accessControlMaxAge: 100
+    addVaryHeader: true
+    referrerPolicy: "same-origin"
+    customFrameOptionsValue: SAMEORIGIN
+    customResponseHeaders:
+      server: "layertwo"
+      Server: "layertwo"

clusters/home/apps/network/traefik/external/release.yml

@@ -33,6 +33,8 @@ spec:
         transport:
           respondingTimeouts:
             readTimeout: 0s
+        middlewares:
+          - traefik-system-secure-headers-middleware
 
     tlsStore:
       default:

clusters/home/apps/network/traefik/internal/release.yml

@@ -33,6 +33,8 @@ spec:
         transport:
           respondingTimeouts:
             readTimeout: 0s
+        middlewares:
+          - traefik-system-secure-headers-middleware
       ldap:
         port: 389
         protocol: TCP