From 76192667e0de26fe8c69fe0d129fd22c3eb61733 Mon Sep 17 00:00:00 2001
From: lila <beiweitemderbeste@protonmail.com>
Date: Thu, 23 Apr 2026 21:45:35 +0200
Subject: [PATCH] feat(caddy): add security headers for frontend

Adds HSTS, CSP, X-Frame-Options, X-Content-Type-Options,
and Referrer-Policy to lilastudy.com responses.

CSP allows connect-src to api.lilastudy.com over HTTPS and
wss:// for WebSocket multiplayer. Tailwind's inline styles
require style-src 'unsafe-inline'.
---
 Caddyfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Caddyfile b/Caddyfile
index 5705a44..0f95af4 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,4 +1,11 @@
 lilastudy.com {
+    header {
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "DENY"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
+        Content-Security-Policy "default-src 'self'; connect-src 'self' https://api.lilastudy.com wss://api.lilastudy.com; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'"
+    }
 	reverse_proxy web:80
 }