plugs: add CSPPlug
This commit is contained in:
parent
617aff4f0c
commit
f516e317ea
2 changed files with 39 additions and 0 deletions
38
lib/pleroma/plugs/csp_plug.ex
Normal file
38
lib/pleroma/plugs/csp_plug.ex
Normal file
|
@ -0,0 +1,38 @@
|
|||
defmodule Pleroma.Plugs.CSPPlug do
|
||||
import Plug.Conn
|
||||
|
||||
def init(opts), do: opts
|
||||
|
||||
def call(conn, options) do
|
||||
conn = merge_resp_headers(conn, headers())
|
||||
end
|
||||
|
||||
defp headers do
|
||||
[
|
||||
{"x-xss-protection", "1; mode=block"},
|
||||
{"x-permitted-cross-domain-policies", "none"},
|
||||
{"x-frame-options", "DENY"},
|
||||
{"x-content-type-options", "nosniff"},
|
||||
{"referrer-policy", "same-origin"},
|
||||
{"x-download-options", "noopen"},
|
||||
{"content-security-policy", csp_string() <> ";"}
|
||||
]
|
||||
end
|
||||
|
||||
defp csp_string do
|
||||
[
|
||||
"default-src 'none'",
|
||||
"base-uri 'self'",
|
||||
"form-action *",
|
||||
"frame-ancestors 'none'",
|
||||
"img-src 'self' data: https:",
|
||||
"media-src 'self' https:",
|
||||
"style-src 'self' 'unsafe-inline'",
|
||||
"font-src 'self'",
|
||||
"script-src 'self'",
|
||||
"connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
|
||||
"upgrade-insecure-requests"
|
||||
]
|
||||
|> Enum.join("; ")
|
||||
end
|
||||
end
|
|
@ -12,6 +12,7 @@ defmodule Pleroma.Web.Endpoint do
|
|||
# You should set gzip to true if you are running phoenix.digest
|
||||
# when deploying your static files in production.
|
||||
plug(CORSPlug)
|
||||
plug(Pleroma.Plugs.CSPPlug)
|
||||
|
||||
plug(Plug.Static, at: "/media", from: Pleroma.Uploaders.Local.upload_path(), gzip: false)
|
||||
|
||||
|
|
Loading…
Reference in a new issue