# Caddy Webserver
```
t322.demolah.com {
root * /var/www/t322/public
# Laravel route handling: only rewrite if file doesn't exist
handle {
@notStatic {
not file
}
rewrite @notStatic /index.php
php_fastcgi unix//run/php/php8.4-fpm.sock
file_server
encode zstd gzip
}
header {
# Prevent clickjacking
X-Frame-Options "SAMEORIGIN"
# Prevent XSS attacks
X-XSS-Protection "1; mode=block"
# Block content sniffing
X-Content-Type-Options "nosniff"
# Enable HSTS (force HTTPS in browsers)
Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# Referrer policy (less data leakage)
Referrer-Policy no-referrer-when-downgrade
# Referrer-Policy "strict-origin-when-cross-origin"
# Content Security Policy (optional - adjust for your use case)
Content-Security-Policy "
default-src 'self';
img-src * data:;
font-src 'self' https://t322.demolah.com https://fonts.gstatic.com data:;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
"
# Disable FLoC
Permissions-Policy "interest-cohort=()"
# Remove server version (optional)
-Server Caddy
}
@staticFiles {
path *.js *.css *.png *.jpg *.jpeg *.gif *.svg *.woff2 *.woff *.ttf *.eot
}
header @staticFiles {
Cache-Control "public, max-age=31536000, immutable"
}
log {
output file /var/log/caddy/t322.demolah.com.access.log {
roll_size 10mb
roll_keep 5
roll_keep_for 720h
}
# Log format: JSON or common
format json
}
}
```
\## tips:
kalau depan ada cloudflare
\### ssl/tls
- overview guna strict mode
\### edge
- always user https matikan,
- automatic https rewrites matikan