apiVersion: v1
kind: ConfigMap
metadata:
  name: ingress-nginx-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
data:
  # Security Headers
  add-headers: "ingress-nginx/custom-headers"
  
  # Enable snippets for per-ingress customization
  allow-snippet-annotations: "true"
  
  # Hide server version
  server-tokens: "false"
  
  # SSL settings
  ssl-protocols: "TLSv1.2 TLSv1.3"
  ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
  ssl-prefer-server-ciphers: "true"
  
  # HSTS
  hsts: "true"
  hsts-max-age: "31536000"
  hsts-include-subdomains: "true"
  hsts-preload: "true"
  
  # Proxy settings
  proxy-body-size: "100m"
  proxy-read-timeout: "300"
  proxy-send-timeout: "300"
  
  # Security
  use-forwarded-headers: "true"
  compute-full-forwarded-for: "true"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-headers
  namespace: ingress-nginx
data:
  X-Content-Type-Options: "nosniff"
  X-XSS-Protection: "1; mode=block"
  X-Frame-Options: "SAMEORIGIN"
  Referrer-Policy: "strict-origin-when-cross-origin"
  Permissions-Policy: "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"