diff --git a/config/config.exs b/config/config.exs index 1d918919d..be9c03ceb 100644 --- a/config/config.exs +++ b/config/config.exs @@ -176,7 +176,7 @@ config :pleroma, :suggestions, limit: 23, web: "https://vinayaka.distsn.org/?{{host}}+{{user}}" -config :pleroma, :csp, +config :pleroma, :http_security, enabled: true, sts: false, sts_max_age: 31_536_000, diff --git a/config/config.md b/config/config.md index 446b0ce67..48af1c236 100644 --- a/config/config.md +++ b/config/config.md @@ -81,7 +81,7 @@ This section is used to configure Pleroma-FE, unless ``:managed_config`` in ``:i * ``outgoing_blocks``: Whether to federate blocks to other instances * ``deny_follow_blocked``: Whether to disallow following an account that has blocked the user in question -## :csp +## :http_security * ``enabled``: Whether the managed content security policy is enabled * ``sts``: Whether to additionally send a `Strict-Transport-Security` header * ``sts_max_age``: The maximum age for the `Strict-Transport-Security` header if sent diff --git a/lib/pleroma/plugs/csp_plug.ex b/lib/pleroma/plugs/http_security_plug.ex similarity index 82% rename from lib/pleroma/plugs/csp_plug.ex rename to lib/pleroma/plugs/http_security_plug.ex index 8fc21b909..8d652a2f3 100644 --- a/lib/pleroma/plugs/csp_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -1,14 +1,14 @@ -defmodule Pleroma.Plugs.CSPPlug do +defmodule Pleroma.Plugs.HTTPSecurityPlug do alias Pleroma.Config import Plug.Conn def init(opts), do: opts def call(conn, options) do - if Config.get([:csp, :enabled]) do + if Config.get([:http_security, :enabled]) do conn = merge_resp_headers(conn, headers()) - |> maybe_send_sts_header(Config.get([:csp, :sts])) + |> maybe_send_sts_header(Config.get([:http_security, :sts])) else conn end @@ -44,8 +44,8 @@ defmodule Pleroma.Plugs.CSPPlug do end defp maybe_send_sts_header(conn, true) do - max_age_sts = Config.get([:csp, :sts_max_age]) - max_age_ct = Config.get([:csp, :ct_max_age]) + max_age_sts = Config.get([:http_security, :sts_max_age]) + max_age_ct = Config.get([:http_security, :ct_max_age]) merge_resp_headers(conn, [ {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"}, diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex index 370d2d792..7783b8e5c 100644 --- a/lib/pleroma/web/endpoint.ex +++ b/lib/pleroma/web/endpoint.ex @@ -12,7 +12,7 @@ defmodule Pleroma.Web.Endpoint do # You should set gzip to true if you are running phoenix.digest # when deploying your static files in production. plug(CORSPlug) - plug(Pleroma.Plugs.CSPPlug) + plug(Pleroma.Plugs.HTTPSecurityPlug) plug(Plug.Static, at: "/media", from: Pleroma.Uploaders.Local.upload_path(), gzip: false) diff --git a/test/plugs/csp_plug_test.exs b/test/plugs/http_security_plug_test.exs similarity index 84% rename from test/plugs/csp_plug_test.exs rename to test/plugs/http_security_plug_test.exs index e27b24db9..5268a1972 100644 --- a/test/plugs/csp_plug_test.exs +++ b/test/plugs/http_security_plug_test.exs @@ -1,10 +1,10 @@ -defmodule Pleroma.Web.Plugs.CSPPlugTest do +defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do use Pleroma.Web.ConnCase alias Pleroma.Config alias Plug.Conn test "it sends CSP headers when enabled", %{conn: conn} do - Config.put([:csp, :enabled], true) + Config.put([:http_security, :enabled], true) conn = conn @@ -20,7 +20,7 @@ defmodule Pleroma.Web.Plugs.CSPPlugTest do end test "it does not send CSP headers when disabled", %{conn: conn} do - Config.put([:csp, :enabled], false) + Config.put([:http_security, :enabled], false) conn = conn @@ -36,8 +36,8 @@ defmodule Pleroma.Web.Plugs.CSPPlugTest do end test "it sends STS headers when enabled", %{conn: conn} do - Config.put([:csp, :enabled], true) - Config.put([:csp, :sts], true) + Config.put([:http_security, :enabled], true) + Config.put([:http_security, :sts], true) conn = conn @@ -48,8 +48,8 @@ defmodule Pleroma.Web.Plugs.CSPPlugTest do end test "it does not send STS headers when disabled", %{conn: conn} do - Config.put([:csp, :enabled], true) - Config.put([:csp, :sts], false) + Config.put([:http_security, :enabled], true) + Config.put([:http_security, :sts], false) conn = conn