{{ test_url }} { {% if test_acme %} header / { # Enable HTTP Strict Transport Security (HSTS) to force clients to always # connect via HTTPS (do not use if only testing) Strict-Transport-Security "max-age=31536000;" # Enable cross-site filter (XSS) and tell browser to block detected attacks X-XSS-Protection "1; mode=block" # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type X-Content-Type-Options "nosniff" # Disallow the site to be rendered within a frame (clickjacking protection) X-Frame-Options "DENY" } {% else %} tls internal {% endif %} log { output file {{ caddy_logs }}/{{ test_name }}/vhost.log } root * {{ test_code }} file_server encode zstd gzip } {% if test_www %} www.{{ test_url }} { redir https://{{ test_url }} } {% endif %}