http:
  middlewares:
    secure-headers:
      headers:
        contentTypeNosniff: true
        frameDeny: true
        referrerPolicy: "strict-origin-when-cross-origin"
        # Intentionally no HSTS (per requirement).
        customResponseHeaders:
          server: ""
          x-powered-by: ""