From 1eeabd5bcbbae2087b1f6cd5ac177ec9197de943 Mon Sep 17 00:00:00 2001
From: Michael Barz <michael.barz@zeitgestalten.eu>
Date: Mon, 2 Mar 2026 11:32:43 +0100
Subject: [PATCH] feat: add hsts

---
 traefik/collabora.yml     | 2 ++
 traefik/ldap-keycloak.yml | 1 +
 traefik/opencloud.yml     | 5 +++++
 3 files changed, 8 insertions(+)

diff --git a/traefik/collabora.yml b/traefik/collabora.yml
index 74182ee..808b9e3 100644
--- a/traefik/collabora.yml
+++ b/traefik/collabora.yml
@@ -13,6 +13,7 @@ services:
       - "traefik.http.routers.collaboration.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.opencloud.test}`)"
       - "traefik.http.routers.collaboration.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.collaboration.service=collaboration"
+      - "traefik.http.routers.collaboration.middlewares=hsts-header"
       - "traefik.http.services.collaboration.loadbalancer.server.port=9300"
   collabora:
     labels:
@@ -21,4 +22,5 @@ services:
       - "traefik.http.routers.collabora.rule=Host(`${COLLABORA_DOMAIN:-collabora.opencloud.test}`)"
       - "traefik.http.routers.collabora.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.collabora.service=collabora"
+      - "traefik.http.routers.collabora.middlewares=hsts-header"
       - "traefik.http.services.collabora.loadbalancer.server.port=9980"
diff --git a/traefik/ldap-keycloak.yml b/traefik/ldap-keycloak.yml
index 1905e8e..908d9ad 100644
--- a/traefik/ldap-keycloak.yml
+++ b/traefik/ldap-keycloak.yml
@@ -12,4 +12,5 @@ services:
       - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)"
       - "traefik.http.routers.keycloak.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.keycloak.service=keycloak"
+      - "traefik.http.routers.keycloak.middlewares=hsts-header"
       - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
diff --git a/traefik/opencloud.yml b/traefik/opencloud.yml
index 8c2062a..1c7df06 100644
--- a/traefik/opencloud.yml
+++ b/traefik/opencloud.yml
@@ -6,6 +6,7 @@ services:
       - "traefik.http.routers.opencloud.entrypoints=https"
       - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
       - "traefik.http.routers.opencloud.service=opencloud"
+      - "traefik.http.routers.opencloud.middlewares=hsts-header"
       - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
       - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
   traefik:
@@ -42,6 +43,10 @@ services:
       - "traefik.http.routers.traefik.middlewares=traefik-auth"
       - "traefik.http.routers.traefik.${TRAEFIK_SERVICES_TLS_CONFIG}"
       - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.middlewares.hsts-header.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.hsts-header.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.hsts-header.headers.stsPreload=true"
+      - "traefik.http.middlewares.hsts-header.headers.forceSTSHeader=true"
     logging:
       driver: ${LOG_DRIVER:-local}
     restart: always