{
  pkgs,
  config,
  lib,
  ...
}: {
  options.website.defaultHeaders = lib.mkOption {
    type = lib.types.str;
    default = ''
      header {
        -Server
        # disable indexing by search engines

        X-Robots-Tag "noindex, nofollow"
        # disable FLoC tracking
        Permissions-Policy interest-cohort=()

        # enable HSTS
        Strict-Transport-Security max-age=31536000;

        # disable clients from sniffing the media type
        X-Content-Type-Options nosniff

        # clickjacking protection
        X-Frame-Options DENY

        # keep referrer data off of HTTP connections
        Referrer-Policy no-referrer-when-downgrade
      }
    '';
  };
  config = {
    services.caddy = {
      enable = true;
      # virtualHosts = {
      #   "http://localhost".extraConfig = ''
      #     try_files ${pkgs.writeText "index.html" ''
      #       hello world
      #     ''} /
      #   '';
      # };
    };
    networking.firewall.allowedTCPPorts = [80 443];
  };
}