enhanced security through HSTS headers' middleware

docker-compose.yml

@@ -41,12 +41,16 @@ services:
       # configure a global middleware for redirecting HTTP to HTTPS
       - traefik.http.middlewares.http-to-https.redirectscheme.scheme=https
       - traefik.http.middlewares.http-to-https.redirectscheme.permanent=true
+      # configure a global middleware to harden security through HSTS
+      - traefik.http.middlewares.hsts.headers.stsSeconds=${TRAEFIK_STS_SECONDS}
+      - traefik.http.middlewares.hsts.headers.stsIncludeSubdomains=${TRAEFIK_STS_SUBDOMAINS}
+      - traefik.http.middlewares.hsts.headers.stsPreload=${TRAEFIK_STS_PRELOAD}
       ### Section HTTP
       - traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http
       # only some people can access the dashboard, hence protect it with it's whitelist
       - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist
       # redirect Træfik dashboard to HTTPS only
-      - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https
+      - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https,hsts
       - traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
       - traefik.http.routers.http-${TRAEFIK_ROUTER}.service=api@internal
       ### Section HTTPS

env.example

@@ -8,7 +8,12 @@ TRAEFIK_NETWORK=traefik
 TRAEFIK_MATCHRULE=traefik.mydomain.com
 TRAEFIK_ROUTER=traefik_mydomain_com
 TRAEFIK_PILOT_TOKEN=
+
+# Security
 TRAEFIK_TLSENABLED=true
+TRAEFIK_STS_SECONDS=15552000
+TRAEFIK_STS_SUBDOMAINS=true
+TRAEFIK_STS_PRELOAD=true
 
 # Certificate provider
 TRAEFIK_DNSPROVIDER=hetzner