{ {$CADDY_GLOBAL_OPTIONS} frankenphp { {$FRANKENPHP_CONFIG} } # https://caddyserver.com/docs/caddyfile/directives#sorting-algorithm order mercure after encode order vulcain after reverse_proxy order php_server before file_server } {$CADDY_EXTRA_CONFIG} {$SERVER_NAME:localhost} { log { # Redact the authorization query parameter that can be set by Mercure format filter { wrap console fields { uri query { replace authorization REDACTED } } } } root * /app/public encode zstd br gzip mercure { # Transport to use (default to Bolt) transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db} # Publisher JWT key publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG} # Subscriber JWT key subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG} # Allow anonymous subscribers (double-check that it's what you want) anonymous # Enable the subscription API (double-check that it's what you want) subscriptions # Extra directives {$MERCURE_EXTRA_DIRECTIVES} } vulcain {$CADDY_SERVER_EXTRA_DIRECTIVES} # Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics header ?Permissions-Policy "browsing-topics=()" # Set a strict CSP and nosniff for all static assets not handled by PHP. # ? means "set only if not already present", so PHP responses carrying a Nelmio CSP are left untouched. header ?Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; sandbox;" header ?X-Content-Type-Options "nosniff" # SVG files get a slightly different CSP because they can embed resources and must not be framed. @svg path *.svg *.svg.gz *.svg.br header @svg Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none'; sandbox;" # Prevent PHP execution in the media upload directory @php_in_media path_regexp (?i)^/media/.*\.(php[3-8]?|phar|phtml|pht|phps)$ respond @php_in_media 403 php_server }