d2ef146474
Some checks failed
Build and Deploy GooSeek / build-and-deploy (push) Has been cancelled
- Update Gitea from 1.22.6 to 1.25.4 (fixes CVE-2026-20736, CVE-2026-20912) - Disable public registration - Disable Swagger API - Add nginx-ingress security headers: - X-Content-Type-Options: nosniff - X-XSS-Protection: 1; mode=block - Referrer-Policy: strict-origin-when-cross-origin - Permissions-Policy - Enable HSTS preload - Reorganize Gitea K8s manifests into gitea/ directory Made-with: Cursor
50 lines
1.3 KiB
YAML
50 lines
1.3 KiB
YAML
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: ingress-nginx-controller
|
|
namespace: ingress-nginx
|
|
labels:
|
|
app.kubernetes.io/name: ingress-nginx
|
|
app.kubernetes.io/part-of: ingress-nginx
|
|
data:
|
|
# Security Headers
|
|
add-headers: "ingress-nginx/custom-headers"
|
|
|
|
# Enable snippets for per-ingress customization
|
|
allow-snippet-annotations: "true"
|
|
|
|
# Hide server version
|
|
server-tokens: "false"
|
|
|
|
# SSL settings
|
|
ssl-protocols: "TLSv1.2 TLSv1.3"
|
|
ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
|
|
ssl-prefer-server-ciphers: "true"
|
|
|
|
# HSTS
|
|
hsts: "true"
|
|
hsts-max-age: "31536000"
|
|
hsts-include-subdomains: "true"
|
|
hsts-preload: "true"
|
|
|
|
# Proxy settings
|
|
proxy-body-size: "100m"
|
|
proxy-read-timeout: "300"
|
|
proxy-send-timeout: "300"
|
|
|
|
# Security
|
|
use-forwarded-headers: "true"
|
|
compute-full-forwarded-for: "true"
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: custom-headers
|
|
namespace: ingress-nginx
|
|
data:
|
|
X-Content-Type-Options: "nosniff"
|
|
X-XSS-Protection: "1; mode=block"
|
|
X-Frame-Options: "SAMEORIGIN"
|
|
Referrer-Policy: "strict-origin-when-cross-origin"
|
|
Permissions-Policy: "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
|