---
# Security Headers Middleware - ported from Caddy configuration
http:
  middlewares:
    security-headers:
      headers:
        # HSTS - currently disabled for testing (max-age=0)
        customRequestHeaders:
          X-Forwarded-Proto: https
        customResponseHeaders:
          # Disable clients from sniffing the media type
          X-Content-Type-Options: nosniff
          # Clickjacking protection  
          X-Frame-Options: SAMEORIGIN
          # XSS protection
          X-XSS-Protection: "1; mode=block"
          # Keep referrer data off of HTTP connections
          Referrer-Policy: strict-origin-when-cross-origin
          # HSTS - disabled for testing (set to 0)
          Strict-Transport-Security: "max-age=0"
        # Remove server identification headers
        customRequestHeaders:
          X-Forwarded-Proto: https
        # Security policy
        frameDeny: false  # We use X-Frame-Options instead
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: strict-origin-when-cross-origin

    # Auth middleware for Authelia (when we set it up)
    authelia:
      forwardAuth:
        address: http://authelia:9091/api/authz/forward-auth
        authResponseHeaders:
          - Remote-User
          - Remote-Groups
          - Remote-Name
          - Remote-Email

    # Rate limiting middleware
    rate-limit:
      rateLimit:
        burst: 100
        period: 1m