HTTP header improvements #294

Merged
floatingghost merged 5 commits from r3g_5z/akkoma:http-header-improvements into develop 3 weeks ago
r3g_5z commented 3 weeks ago
  • Drop Expect-CT

Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

  • Raise HSTS to 2 years and explicitly preload

The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt.
For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain.

  • Drop X-Download-Options

This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this.

  • Set base-uri to 'none'

This is to specify the domain for relative links (<base> HTML tag). pleroma-fe does not use this and it's an incredibly niche tag.

I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed.

I have not compiled my Elixr changes, but I don't see why they'd break.

- Drop Expect-CT Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT - Raise HSTS to 2 years and explicitly preload The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt. For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain. - Drop X-Download-Options This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this. - Set base-uri to 'none' This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag. I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed. I have not compiled my Elixr changes, but I don't see why they'd break.
r3g_5z added 5 commits 3 weeks ago
413b40b510
Drop X-Download-Options
5b9936ce7f
Raise HSTS max age to 2 years
828e0f56c5
Drop Expect-CT
c08ee3edb2
Directly specify preload for Strict-Transport-Security
ci/woodpecker/pr/woodpecker Pipeline was successful Details
f26108dba1
Set base-uri to none
Owner

don't disagree with any reasoning here, seems ok!

thanks

don't disagree with any reasoning here, seems ok! thanks
floatingghost merged commit 0e4c201f8d into develop 3 weeks ago
floatingghost deleted branch http-header-improvements 3 weeks ago
floatingghost referenced this issue from a commit 3 weeks ago
ci/woodpecker/pr/woodpecker Pipeline was successful
The pull request has been merged as 0e4c201f8d.
Sign in to join this conversation.
No reviewers
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#294
Loading…
There is no content yet.