Drop Expect-CT

The header has been redundant since 2018 as all CAs and browsers enforce certificate transparency already and is now a requirement. It's also not even implemented in others browsers except for Chrome, and Chrome 107 deprecates this header. Signed-off-by: r3g_5z <june@terezi.dev>
2022-11-19 23:46:02 -05:00 · 2022-11-19 23:46:02 -05:00 · 828e0f56c5
commit 828e0f56c5
parent 5b9936ce7f
10 changed files with 1 additions and 66 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -488,7 +488,6 @@
  enabled: true,
  sts: false,
  sts_max_age: 63_072_000,
  ct_max_age: 2_592_000,
  referrer_policy: "same-origin"
 config :cors_plug,
--- a/config/description.exs
+++ b/config/description.exs
@ -1752,13 +1752,6 @@
        description: "The maximum age for the Strict-Transport-Security header if sent",
        suggestions: [63_072_000]
      },
      %{
        key: :ct_max_age,
        label: "CT max age",
        type: :integer,
        description: "The maximum age for the Expect-CT header if sent",
        suggestions: [2_592_000]
      },
      %{
        key: :referrer_policy,
        type: :string,
--- a/docs/docs/configuration/cheatsheet.md
+++ b/docs/docs/configuration/cheatsheet.md
@ -453,7 +453,6 @@ This will make Akkoma listen on `127.0.0.1` port `8080` and generate urls starti
 * ``enabled``: Whether the managed content security policy is enabled.
 * ``sts``: Whether to additionally send a `Strict-Transport-Security` header.
 * ``sts_max_age``: The maximum age for the `Strict-Transport-Security` header if sent.
 * ``ct_max_age``: The maximum age for the `Expect-CT` header if sent.
 * ``referrer_policy``: The referrer policy to use, either `"same-origin"` or `"no-referrer"`.
 * ``report_uri``: Adds the specified url to `report-uri` and `report-to` group in CSP header.
--- a/docs/docs/configuration/hardening.md
+++ b/docs/docs/configuration/hardening.md
@ -51,10 +51,6 @@ content-security-policy:
 An additional “Strict transport security” header will be sent with the configured `sts_max_age` parameter. This tells the browser, that the domain should only be accessed over a secure HTTPs connection.
 #### `ct_max_age`
 An additional “Expect-CT” header will be sent with the configured `ct_max_age` parameter. This enforces the use of TLS certificates that are published in the certificate transparency log. (see [Expect-CT](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT))
 #### `referrer_policy`
 > Recommended value: `same-origin`
--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@ -236,11 +236,9 @@ def warn_if_disabled do
  defp maybe_send_sts_header(conn, true) do
    max_age_sts = Config.get([:http_security, :sts_max_age])
    max_age_ct = Config.get([:http_security, :ct_max_age])
    merge_resp_headers(conn, [
-      {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"},
+      {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"}
      {"expect-ct", "enforce, max-age=#{max_age_ct}"}
    ])
  end
--- a/priv/gettext/ca/LC_MESSAGES/config_descriptions.po
+++ b/priv/gettext/ca/LC_MESSAGES/config_descriptions.po
@ -1936,12 +1936,6 @@ msgstr ""
 "What user agent to use. Must be a string or an atom `:default`. Default "
 "value is `:default`."
 #: lib/pleroma/docs/translator.ex:5
 #, fuzzy
 msgctxt "config description at :pleroma-:http_security > :ct_max_age"
 msgid "The maximum age for the Expect-CT header if sent"
 msgstr "The maximum age for the Expect-CT header if sent"
 #: lib/pleroma/docs/translator.ex:5
 #, fuzzy
 msgctxt "config description at :pleroma-:http_security > :enabled"
@ -4993,12 +4987,6 @@ msgctxt "config label at :pleroma-:http > :user_agent"
 msgid "User agent"
 msgstr "User agent"
 #: lib/pleroma/docs/translator.ex:5
 #, fuzzy
 msgctxt "config label at :pleroma-:http_security > :ct_max_age"
 msgid "CT max age"
 msgstr "CT max age"
 #: lib/pleroma/docs/translator.ex:5
 #, fuzzy
 msgctxt "config label at :pleroma-:http_security > :enabled"
--- a/priv/gettext/config_descriptions.pot
+++ b/priv/gettext/config_descriptions.pot
@ -1612,12 +1612,6 @@ msgctxt "config description at :pleroma-:http > :user_agent"
 msgid "What user agent to use. Must be a string or an atom `:default`. Default value is `:default`."
 msgstr ""
 #, elixir-autogen, elixir-format
 #: lib/pleroma/docs/translator.ex:5
 msgctxt "config description at :pleroma-:http_security > :ct_max_age"
 msgid "The maximum age for the Expect-CT header if sent"
 msgstr ""
 #, elixir-autogen, elixir-format
 #: lib/pleroma/docs/translator.ex:5
 msgctxt "config description at :pleroma-:http_security > :enabled"
@ -4048,12 +4042,6 @@ msgctxt "config label at :pleroma-:http > :user_agent"
 msgid "User agent"
 msgstr ""
 #, elixir-autogen, elixir-format
 #: lib/pleroma/docs/translator.ex:5
 msgctxt "config label at :pleroma-:http_security > :ct_max_age"
 msgid "CT max age"
 msgstr ""
 #, elixir-autogen, elixir-format
 #: lib/pleroma/docs/translator.ex:5
 msgctxt "config label at :pleroma-:http_security > :enabled"
--- a/priv/gettext/es/LC_MESSAGES/config_descriptions.po
+++ b/priv/gettext/es/LC_MESSAGES/config_descriptions.po
@ -1759,12 +1759,6 @@ msgstr ""
 "What user agent to use. Must be a string or an atom `:default`. Default "
 "value is `:default`."
 #: lib/pleroma/docs/translator.ex:5
 #, elixir-autogen, elixir-format, fuzzy
 msgctxt "config description at :pleroma-:http_security > :ct_max_age"
 msgid "The maximum age for the Expect-CT header if sent"
 msgstr "The maximum age for the Expect-CT header if sent"
 #: lib/pleroma/docs/translator.ex:5
 #, elixir-autogen, elixir-format, fuzzy
 msgctxt "config description at :pleroma-:http_security > :enabled"
@ -4420,12 +4414,6 @@ msgctxt "config label at :pleroma-:http > :user_agent"
 msgid "User agent"
 msgstr "User agent"
 #: lib/pleroma/docs/translator.ex:5
 #, elixir-autogen, elixir-format, fuzzy
 msgctxt "config label at :pleroma-:http_security > :ct_max_age"
 msgid "CT max age"
 msgstr "CT max age"
 #: lib/pleroma/docs/translator.ex:5
 #, elixir-autogen, elixir-format, fuzzy
 msgctxt "config label at :pleroma-:http_security > :enabled"
--- a/priv/gettext/nl/LC_MESSAGES/config_descriptions.po
+++ b/priv/gettext/nl/LC_MESSAGES/config_descriptions.po
@ -1759,12 +1759,6 @@ msgstr ""
 "What user agent to use. Must be a string or an atom `:default`. Default "
 "value is `:default`."
 #: lib/pleroma/docs/translator.ex:5
 #, elixir-autogen, elixir-format, fuzzy
 msgctxt "config description at :pleroma-:http_security > :ct_max_age"
 msgid "The maximum age for the Expect-CT header if sent"
 msgstr "The maximum age for the Expect-CT header if sent"
 #: lib/pleroma/docs/translator.ex:5
 #, elixir-autogen, elixir-format, fuzzy
 msgctxt "config description at :pleroma-:http_security > :enabled"
@ -4420,12 +4414,6 @@ msgctxt "config label at :pleroma-:http > :user_agent"
 msgid "User agent"
 msgstr "User agent"
 #: lib/pleroma/docs/translator.ex:5
 #, elixir-autogen, elixir-format, fuzzy
 msgctxt "config label at :pleroma-:http_security > :ct_max_age"
 msgid "CT max age"
 msgstr "CT max age"
 #: lib/pleroma/docs/translator.ex:5
 #, elixir-autogen, elixir-format, fuzzy
 msgctxt "config label at :pleroma-:http_security > :enabled"
--- a/test/pleroma/web/plugs/http_security_plug_test.exs
+++ b/test/pleroma/web/plugs/http_security_plug_test.exs
@ -27,7 +27,6 @@ test "it sends STS headers when enabled", %{conn: conn} do
      conn = get(conn, "/api/v1/instance")
      refute Conn.get_resp_header(conn, "strict-transport-security") == []
      refute Conn.get_resp_header(conn, "expect-ct") == []
    end
    test "it does not send STS headers when disabled", %{conn: conn} do
@ -36,7 +35,6 @@ test "it does not send STS headers when disabled", %{conn: conn} do
      conn = get(conn, "/api/v1/instance")
      assert Conn.get_resp_header(conn, "strict-transport-security") == []
      assert Conn.get_resp_header(conn, "expect-ct") == []
    end
    test "referrer-policy header reflects configured value", %{conn: conn} do