http: middlewares: security-headers: headers: stsSeconds: 31536000 stsIncludeSubdomains: true stsPreload: true frameDeny: true contentTypeNosniff: true browserXssFilter: true referrerPolicy: "strict-origin-when-cross-origin" contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; form-action 'self';" permissionsPolicy: "camera=(), microphone=(), geolocation=(), interest-cohort=()" customResponseHeaders: X-Robots-Tag: "noindex, nofollow" X-Powered-By: "" rate-limit: rateLimit: average: 100 burst: 50 period: 1s sourceCriterion: ipStrategy: depth: 1 compression: compress: excludedContentTypes: - text/event-stream - application/octet-stream strip-api-prefix: stripPrefix: prefixes: - /api cors: headers: accessControlAllowMethods: - GET - POST - PUT - PATCH - DELETE - OPTIONS accessControlAllowHeaders: - Content-Type - Authorization - X-Requested-With accessControlAllowOriginList: - "https://investplay.app" - "https://www.investplay.app" - "https://cms.investplay.app" accessControlMaxAge: 86400 accessControlAllowCredentials: true cms-strip-prefix: stripPrefix: prefixes: - /cms auth-basic: basicAuth: users: - "admin:$2y$10$YourGeneratedHashHere" tls: options: default: minVersion: VersionTLS12 cipherSuites: - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 sniStrict: true