From 793c91527c67423288749ba582627d21ccccde64 Mon Sep 17 00:00:00 2001
From: mattspeer <mwspeer@gmail.com>
Date: Wed, 27 May 2026 18:34:16 -0500
Subject: [PATCH] security-rules.yml

copied straight from gemini
---
 security-rules.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 security-rules.yml

diff --git a/security-rules.yml b/security-rules.yml
new file mode 100644
index 0000000..044669f
--- /dev/null
+++ b/security-rules.yml
@@ -0,0 +1,31 @@
+http:
+  middlewares:
+    # 1. Geoblocking Rule (Allow US only)
+    geoblock-policy:
+      plugin:
+        geoblock:
+          allowLocalRequests: true
+          logLocalRequests: false
+          countries:
+            - US
+
+    # 2. CrowdSec Firewall Rule
+    crowdsec-policy:
+      plugin:
+        crowdsec:
+          enabled: true
+          crowdsecLapiHost: "crowdsec:8080"
+          crowdsecLapiKey: "GENERATE_A_KEY_IN_STEP_5" # We will replace this shortly
+          crowdsecMode: stream
+
+    # 3. Secure HTTP Headers
+    secure-headers:
+      headers:
+        sslRedirect: true
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        frameDeny: true
+        contentTypeNosniff: true
+        browserXssFilter: true
\ No newline at end of file