Labels Milestones

HTTP header improvements #294

Merged

floatingghost merged 5 commits from r3g_5z/akkoma:http-header-improvements into develop 3 weeks ago

Conversation 1 Commits 5 Files Changed 13

r3g_5z commented 3 weeks ago

• Drop Expect-CT

Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

• Raise HSTS to 2 years and explicitly preload

The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt.
For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain.

• Drop X-Download-Options

This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this.

• Set base-uri to 'none'

This is to specify the domain for relative links (<base> HTML tag). pleroma-fe does not use this and it's an incredibly niche tag.

I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed.

I have not compiled my Elixr changes, but I don't see why they'd break.

- Drop Expect-CT Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT - Raise HSTS to 2 years and explicitly preload The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt. For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain. - Drop X-Download-Options This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this. - Set base-uri to 'none' This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag. I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed. I have not compiled my Elixr changes, but I don't see why they'd break.

r3g_5z added 5 commits 3 weeks ago

413b40b510

Drop X-Download-Options ...

It's an IE8-era header where Adobe products used to use the IE engine
when making outbound web requests to embed webpages such as
Adobe Acrobat. This is something that a secure and modern CSP would
protect against.

Signed-off-by: r3g_5z <june@terezi.dev>

5b9936ce7f

Raise HSTS max age to 2 years ...

The longer the better, and various HTTP header checkers now suggest a
2 year age.

Signed-off-by: r3g_5z <june@terezi.dev>

828e0f56c5

Drop Expect-CT ...

The header has been redundant since 2018 as all CAs and browsers enforce
certificate transparency already and is now a requirement. It's also
not even implemented in others browsers except for Chrome, and
Chrome 107 deprecates this header.

Signed-off-by: r3g_5z <june@terezi.dev>

c08ee3edb2

Directly specify preload for Strict-Transport-Security ...

For most browsers, this is usually implied by the header itself,
however for HSTS to be effective you need to submit your root domain to
hstspreload.org. If "preload" is not in the header, it will reject your
domain.

Signed-off-by: r3g_5z <june@terezi.dev>

f26108dba1

Set base-uri to none ...

pleroma-fe doesn't use this and it seems too niche to have any use-case

Signed-off-by: r3g_5z <june@terezi.dev>

floatingghost commented 3 weeks ago

Owner

don't disagree with any reasoning here, seems ok!

thanks

don't disagree with any reasoning here, seems ok! thanks

floatingghost merged commit 0e4c201f8d into develop 3 weeks ago

floatingghost deleted branch http-header-improvements 3 weeks ago

floatingghost referenced this issue from a commit 3 weeks ago

HTTP header improvements (#294)

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

The pull request has been merged as 0e4c201f8d.

Sign in to join this conversation.

Reviewers

Request review

No reviewers

Labels

Apply labels

Clear labels

bug
Something is not working configuration
This requires config changes documentation
This is about human-readable docs duplicate
This issue or pull request already exists enhancement
New feature help wanted
Need some help invalid
Something is wrong question
More information is needed wontfix
This won't be fixed

No Label bug configuration documentation duplicate enhancement help wanted invalid question wontfix

Milestone

Set milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Assign users

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#294

Write Preview

Loading…

Cancel

Save

There is no content yet.