feat: Add strict-headers and relaxed-headers middleware for enhan…

[fkrzski]

…ced security flexibility

• Replaced security-headers middleware in docker-compose.yml with strict-headers and relaxed-headers where applicable.
• Updated INTEGRATION_GUIDE.md with details on both middleware types, highlighting their respective Content-Security-Policy configurations.
• Added strict-headers and relaxed-headers definitions to config/dynamic.yml for improved CSP customization.

[gemini-code-assist]

Summary of Changes

Hello @fkrzski, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the flexibility of security header management by introducing two distinct middleware configurations: strict-headers and relaxed-headers. This allows services to apply either a highly restrictive Content-Security-Policy or a more lenient one, accommodating applications that require inline scripts or styles, while maintaining other essential security protections. The changes provide better control over security posture based on specific application needs.

Highlights

• New Security Middleware Introduction: Introduced strict-headers and relaxed-headers middlewares to provide more granular control over Content-Security-Policy (CSP) configurations, replacing the single security-headers middleware.
• Content-Security-Policy Customization: strict-headers enforces a full CSP without unsafe-inline, suitable for custom services, while relaxed-headers allows unsafe-inline for compatibility with applications like the Traefik dashboard.
• Configuration Updates: Updated config/dynamic.yml to define the new strict-headers and relaxed-headers middlewares and modified docker-compose.yml to apply these new middlewares to relevant services.
• Documentation Enhancement: Revised INTEGRATION_GUIDE.md to clearly document the purpose, configuration, and usage of both strict-headers and relaxed-headers middlewares.

Changelog

• config/dynamic.yml
  • Renamed the existing security-headers middleware definition to strict-headers.
  • Added a new relaxed-headers middleware definition with a Content-Security-Policy that permits unsafe-inline for scripts and styles.
• docker-compose.yml
  • Replaced security-headers@file with relaxed-headers@file for the Traefik dashboard service.
  • Replaced security-headers@file with strict-headers@file for the pma, pgadmin, and mailpit services.
• docs/INTEGRATION_GUIDE.md
  • Updated the "Security Headers Middleware" section to describe the new strict-headers and relaxed-headers options.
  • Clarified the differences in their Content-Security-Policy configurations.
  • Updated examples to use strict-headers@file where appropriate.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces strict-headers and relaxed-headers middleware to replace the singular security-headers, offering enhanced flexibility for Content-Security-Policy configurations. The changes are well-integrated into docker-compose.yml and clearly documented in INTEGRATION_GUIDE.md. My primary suggestion is to refactor the middleware definitions in config/dynamic.yml to leverage Traefik's chaining capabilities, which will reduce code duplication and improve long-term maintainability.