HTTP header improvements #294
Merged
floatingghost
merged 5 commits from r3g_5z/akkoma:http-header-improvements
into develop
3 months ago
Loading…
Reference in new issue
There is no content yet.
Delete Branch 'r3g_5z/akkoma:http-header-improvements'
Deleting a branch is permanent. It CANNOT be undone. Continue?
Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt.
For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain.
This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this.
This is to specify the domain for relative links (
<base>
HTML tag). pleroma-fe does not use this and it's an incredibly niche tag.I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed.
I have not compiled my Elixr changes, but I don't see why they'd break.
don't disagree with any reasoning here, seems ok!
thanks
0e4c201f8d
into develop 3 months ago0e4c201f8d
.