# Traefik dynamic config — CSP para portal/wizard (CT114)
# Ajustar hostnames e validar libs externas antes de aplicar em produção.

http:
  middlewares:
    wizard-csp:
      headers:
        contentSecurityPolicy: >-
          default-src 'self';
          script-src 'self' 'unsafe-inline';
          style-src 'self' 'unsafe-inline';
          img-src 'self' data: https:;
          connect-src 'self' https://desk.ligbox.com.br;
          frame-ancestors 'none';
          base-uri 'self';
          form-action 'self';
          report-uri https://desk.ligbox.com.br/api/v1/security/csp-report;
        contentSecurityPolicyReportOnly: false
        referrerPolicy: strict-origin-when-cross-origin
        permissionsPolicy: "geolocation=(), microphone=(), camera=()"
        customResponseHeaders:
          X-Content-Type-Options: nosniff
          X-Frame-Options: DENY

  routers:
  # Exemplo — anexar middleware ao router existente do wizard:
  #   middlewares:
  #     - wizard-csp