56e55ff488
Reverse proxy for the Familienarchiv host, validated against Caddy 2. Includes both vhosts (production and staging), the Gitea vhost, and: - HSTS, X-Content-Type-Options, Referrer-Policy headers on every site - "-Server" header strip to hide the Caddy version - /actuator/* responds 404 on both archive vhosts (defense in depth for Spring Boot's management endpoints) X-Frame-Options is intentionally not set in Caddy: Spring Security configures frame-options SAMEORIGIN for the in-app PDF preview iframe; a DENY header here would conflict. Refs #497. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1.5 KiB
1.5 KiB