- Admin API Protection: Bind admin API to localhost only (
localhost:2019) or disable it entirely in production with admin off.
- Port Restrictions: Only expose ports 80 (HTTP) and 443 (HTTPS) to the internet. Restrict administrative ports to trusted networks only.
- Firewall Configuration: Use UFW, iptables, or firewalld to restrict incoming connections to necessary ports only.
¶ TLS and Certificates
- Automatic HTTPS: Use automatic HTTPS with ACME for Let’s Encrypt certificates.
- Certificate Security: Protect certificate files with strict permissions (600) and owned by the caddy user.
- Custom Certificate Authorities: When using private CAs, restrict certificate issuers appropriately.
- OCSP Stapling: Enable OCSP stapling for improved privacy and performance (enabled by default in Caddy).
- File Permissions: Store
Caddyfile with strict permissions (600 or 640) and owned by root:caddy.
- Admin Endpoint: Never expose the admin endpoint publicly; disable with
admin off in production.
- Security Headers: Implement security headers like HSTS, CSP, X-Frame-Options, etc.
- Input Validation: Use appropriate request matchers and validation for all inputs.
- Dedicated User: Run as a dedicated
caddy user with minimal privileges.
- System Updates: Keep Caddy updated to the latest stable version regularly.
- Process Isolation: Consider running Caddy in a container or with additional isolation mechanisms.
- Resource Limits: Set appropriate resource limits (CPU, memory) to prevent resource exhaustion.
Example security headers for Caddyfile:
example.com {
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options nosniff
X-Frame-Options DENY
Referrer-Policy strict-origin-when-cross-origin
X-XSS-Protection "1; mode=block"
Content-Security-Policy "default-src 'self'"
}
}
¶ Monitoring and Logging
- Access Logging: Enable structured access logging for security monitoring.
- Error Logging: Monitor error logs for potential security issues.
- Certificate Renewal: Set up alerts for certificate renewal failures.
- Performance Monitoring: Monitor resource usage for anomalies that might indicate attacks.