How to Setup Security on Caddy

A comprehensive guide to configuring security features in Caddy for enhanced protection.

Table of Contents

Prerequisites

Before configuring security on Caddy, ensure you have:

  • Caddy 2.x installed and running
  • Access to edit Caddyfile
  • Basic understanding of web security concepts
  • Root or sudo access to the server

Basic Security Configuration

Core Security Settings
example.com {
    # TLS configuration
    tls {
        protocols tls1.2 tls1.3
        curves x25519 p256 p384 p521
        alpn h2 http/1.1
    }

    # Basic security headers
    header {
        # Remove server header
        -Server
        # Security headers
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        Referrer-Policy "strict-origin-when-cross-origin"
        Permissions-Policy "geolocation=(), microphone=(), camera=()"
    }
}

Key directives explained:

  • tls: Configures TLS settings for secure connections
  • header: Sets security-related HTTP headers
  • protocols: Specifies allowed TLS versions

Security Headers

Advanced Header Configuration
example.com {
    header {
        # Content Security Policy
        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
        
        # Cross-Origin settings
        Cross-Origin-Embedder-Policy "require-corp"
        Cross-Origin-Opener-Policy "same-origin"
        Cross-Origin-Resource-Policy "same-origin"
        
        # Additional security headers
        X-XSS-Protection "1; mode=block"
        X-Download-Options "noopen"
        X-Permitted-Cross-Domain-Policies "none"
    }
}

Rate Limiting

example.com {
    # Rate limiting for API endpoints
    @api {
        path /api/*
    }
    rate_limit @api {
        zone api_limit
        rate 10r/10s
        burst 20
    }

    # Rate limiting for login attempts
    @login {
        path /login
        method POST
    }
    rate_limit @login {
        zone login_limit
        rate 5r/1m
        burst 10
    }
}

Rate limiting explained:

  • zone: Defines a rate limiting zone
  • rate: Specifies requests per time window
  • burst: Allows temporary burst of requests

WAF Integration

example.com {
    # WAF configuration using Caddy's security middleware
    security {
        # Basic WAF rules
        rule {
            match {
                path "*.php"
                method "POST"
            }
            block {
                status 403
                message "Access denied"
            }
        }

        # SQL Injection protection
        rule {
            match {
                query ".*(SELECT|INSERT|UPDATE|DELETE|DROP|UNION).*"
            }
            block {
                status 403
                message "SQL Injection attempt detected"
            }
        }
    }
}

Configuration Generator

Generated Configuration
# Caddy configuration will appear here

Best Practices

Recommended Practices
  • TLS Configuration:
    • Use TLS 1.3 when possible
    • Implement HSTS
    • Use strong cipher suites
  • Headers:
    • Implement strict CSP policies
    • Use security headers consistently
    • Regularly review and update policies
  • Rate Limiting:
    • Implement different limits for different endpoints
    • Monitor rate limit hits
    • Adjust limits based on usage patterns
  • WAF Rules:
    • Start with basic rules and expand
    • Regularly update rule sets
    • Monitor false positives
Privacy Policy
Terms of Service
Refund Policy
Contact Us