From b137e3e72d256fe5e86c81d71abf8cd95936fa73 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Fri, 15 May 2026 13:43:35 +0200
Subject: [PATCH] devops(caddy): add HSTS to GlitchTip vhost

Caddy does not set Strict-Transport-Security on GlitchTip because the
full security_headers snippet is intentionally omitted (Permissions-Policy
interferes with the Sentry SDK CORS). Adding HSTS alone guarantees
HTTPS enforcement at the Caddy layer without breaking SDK ingestion.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 infra/caddy/Caddyfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/infra/caddy/Caddyfile b/infra/caddy/Caddyfile
index 4477301e..6c27bf7d 100644
--- a/infra/caddy/Caddyfile
+++ b/infra/caddy/Caddyfile
@@ -95,5 +95,6 @@ grafana.archiv.raddatz.cloud {
 }
 
 glitchtip.archiv.raddatz.cloud {
+	header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 	reverse_proxy 127.0.0.1:3002
 }