To me on the security side of things caddy has a feature I have yet to see anywhere else: default reverse proxy headers.

Got something you want to lock down remote js loading on unless it explicitly requests an override? Default the variable to a locked value. The application can override it with it’s own header as necessary.

caddyserver.com/docs/caddyfile/directives/header