# Strip Authorization header for WebDAV so Authentik doesn't try to interpret Basic Auth

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: webdav-strip-auth
spec:
  headers:
    customRequestHeaders:
      Authorization: ""

---
# Rate limit to protect from brute force / bots
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: rate-limit
spec:
  rateLimit:
    average: 50
    burst: 100

---
# Optional: security headers for UI
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: security-headers
spec:
  headers:
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    stsPreload: true
    browserXssFilter: true
    contentTypeNosniff: true
    frameDeny: true
    referrerPolicy: "no-referrer"
    customResponseHeaders:
      X-Content-Type-Options: "nosniff"
      X-Frame-Options: "DENY"
      X-XSS-Protection: "1; mode=block"