⚡️ IMPROVE: update tls config and middlewares headers

.editorconfig

@@ -2,7 +2,7 @@ root = true
 
 [*]
 end_of_line = lf
-insert_final_newline = false
+insert_final_newline = true
 charset = utf-8
 trim_trailing_whitespace = true
 indent_style = space

README.md

@@ -278,6 +278,24 @@ nginx:
         - traefik.http.routers.portainer.rule=Host(`app.${TRAEFIK_DOMAIN_NAME}`)
 ```
 
+Also included is an option that allows only TLS v1.3. This option must be manually configured. There is an example below on how to do this with a docker label.
+
+```yaml
+nginx:
+    image: nginx:stable
+    networks:
+        - proxy
+    depends_on:
+        - traefik
+    labels:
+        - traefik.enable=true
+        - traefil.docker.network=proxy
+        # only TLS v1.3
+        - traefik.http.routers.project-app.tls.options=tlsv13only@file
+        - traefik.http.routers.portainer.entrypoints=https
+        - traefik.http.routers.portainer.rule=Host(`app.${TRAEFIK_DOMAIN_NAME}`)
+```
+
 Read instruction after container up [instruction](docs/portainer.md)
 
 ## License

src/images/traefik/config/dynamic/middlewares.yml

@@ -21,16 +21,16 @@ http:
     securityHeaders:
       headers:
         customResponseHeaders:
-          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
+          X-Robots-Tag: none,noarchive,nosnippet,notranslate,noimageindex
           server: ""
-          X-Forwarded-Proto: "https"
+          X-Forwarded-Proto: https
         sslProxyHeaders:
           X-Forwarded-Proto: https
-        referrerPolicy: "same-origin"
+        referrerPolicy: origin-when-cross-origin
         hostsProxyHeaders:
-          - "X-Forwarded-Host"
+          - X-Forwarded-Host
         customRequestHeaders:
-          X-Forwarded-Proto: "https"
+          X-Forwarded-Proto: https
         contentTypeNosniff: true
         browserXssFilter: true
         forceSTSHeader: true
@@ -39,7 +39,8 @@ http:
         stsPreload: true
         frameDeny: true
         sslForceHost: true
-        permissionsPolicy: "geolocation=(self), microphone=(), camera=(), payment=(), usb=(), vr=(), fullscreen=*"
+        contentSecurityPolicy: script-src 'self'
+        permissionsPolicy: geolocation=(self), microphone=(), camera=(), payment=(), usb=(), vr=(), fullscreen=*
 
     corsHeaders:
       headers:

src/images/traefik/config/dynamic/tls.yml

@@ -4,13 +4,17 @@ tls:
     default:
       minVersion: VersionTLS12
       cipherSuites:
-        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        # Recommended ciphers for TLSv1.2
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
         - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        # Recommended ciphers for TLSv1.3
         - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
         - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
       sniStrict: true
       alpnProtocols:
         - http/1.1
         - h2
+    tlsv13only:
+      minVersion: VersionTLS13