Commit graph

18 commits

Author SHA1 Message Date
522221f7fb Mix format 2023-04-14 17:56:34 +01:00
a079ec3a3c in dev, allow dev FE 2023-04-14 16:36:40 +01:00
70803d7966 Remove mix.env reference 2023-03-11 18:24:44 +00:00
8a4437d2be Allow expires_at in filter requests
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Fixes #492
2023-03-09 19:13:14 +00:00
336d06b2a8 Significantly tighten HTTP CSP
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2023-01-02 15:21:19 +00:00
9a320ba814 make 2fa UI less awful
Some checks failed
ci/woodpecker/push/woodpecker Pipeline is pending
ci/woodpecker/pr/woodpecker Pipeline failed
2022-12-16 11:50:25 +00:00
e2320f870e Add prometheus metrics to router
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
2022-12-15 02:02:07 +00:00
@r3g_5z@plem.sapphic.site
0e4c201f8d HTTP header improvements (#294)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
- Drop Expect-CT

Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

- Raise HSTS to 2 years and explicitly preload

The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt.
For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain.

- Drop X-Download-Options

This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this.

- Set base-uri to 'none'

This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag.

I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed.

I have not compiled my Elixr changes, but I don't see why they'd break.

Co-authored-by: r3g_5z <june@terezi.dev>
Reviewed-on: #294
Co-authored-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
Co-committed-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
2022-11-20 21:20:06 +00:00
r3g_5z
f90552f62e
Drop XSS auditor
All checks were successful
ci/woodpecker/pr/woodpecker Pipeline was successful
It's deprecated, removed in some, by all modern browsers and is known
to create XSS vulnerabilities in itself.

Signed-off-by: r3g_5z <june@terezi.dev>
2022-11-19 20:40:20 -05:00
89dbc7177b Chores for 2022.11
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
ci/woodpecker/pr/woodpecker Pipeline is pending
2022-11-11 16:12:04 +00:00
ac0c00cdee Add media sources to connect-src if media proxy is enabled
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2022-11-10 17:26:51 +00:00
4d0a51221a
Fix typo in CSP Report-To header name
Some checks failed
ci/woodpecker/pr/woodpecker Pipeline failed
The header name was Report-To, not Reply-To.

In any case, that's now being changed to the Reporting-Endpoints HTTP
Response Header.
https://w3c.github.io/reporting/#header
https://github.com/w3c/reporting/issues/177

CanIUse says the Report-To header is still supported by current Chrome
and friends.
https://caniuse.com/mdn-http_headers_report-to

It doesn't have any data for the Reporting-Endpoints HTTP header, but
this article says Chrome 96 supports it.
https://web.dev/reporting-api/

(Even though that's come out one year ago, that's not compatible with
Network Error Logging which's still using the Report-To version of the
API)

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-11-04 15:02:13 +01:00
Sean King
2b4f958b2a
Add opting out of Google FLoC to HTTPSecurityPlug headers 2021-04-18 14:00:18 -06:00
eugenijm
7fcaa188a0 Allow to define custom HTTP headers per each frontend 2021-01-21 21:55:23 +03:00
eugenijm
133644dfa2 Ability to set the Service-Worker-Allowed header 2021-01-21 21:55:11 +03:00
Haelwenn (lanodan) Monnier
c4439c630f
Bump Copyright to 2021
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;'
2021-01-13 07:49:50 +01:00
Alexander Strizhakov
abc3c7689b
HTTPSecurityPlug module name and filename 2020-10-13 16:43:55 +03:00
Alexander Strizhakov
2501793f81
moving plugs into web dir 2020-10-13 16:38:19 +03:00
Renamed from lib/pleroma/plugs/http_security_plug.ex (Browse further)