traefik: harden websecure defaults (crowdsec, headers, tls12)

dynamic.d/middlewares/label-auth.yml

@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    label-auth:
+      basicAuth:
+        # Keep actual user hashes out of git.
+        usersFile: /secrets/label.htpasswd

dynamic.d/middlewares/secure-headers.yml

@@ -0,0 +1,12 @@
+http:
+  middlewares:
+    secure-headers:
+      headers:
+        contentTypeNosniff: true
+        frameDeny: true
+        referrerPolicy: "strict-origin-when-cross-origin"
+        # Intentionally no HSTS (per requirement).
+        customResponseHeaders:
+          server: ""
+          x-powered-by: ""
+