Document: WR-025                                                 P. Webb
                                                              2026.06.17

                            Caddy hardening

Body

   With my recent launch[1], someone DM'd me about my site's security
   not being up to snuff. Back in my nginx days, I was obSESSED with
   getting a great score on `securityheaders.com`[2]. With Caddy, I
   threw all that out the window.

   Not anymore! This snippet inside your site blocks will give your
   Caddy site and A rating:

   ```
   header {
     #Content-Security-Policy "default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; worker-src 'self' blob:"
     Permissions-Policy "camera=(), geolocation=(), microphone=()"
     Referrer-Policy "strict-origin-when-cross-origin"
     Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
     X-Content-Type-Options "nosniff"
     X-Frame-Options "SAMEORIGIN"
     -Server
   }
   ```

   You'll notice the first line is commented out; this is because CSP is
   hella difficult to get right and you'll have to do a bit of trial and
   error to get your site 1) secure and 2) operational.

   Once you do (and not have `'unsafe-inline'` in `script-src`), you
   should have an A+ rating.

References

   [1] </WM-095>
   [2] <https://securityheaders.com>