From 413b40b510fe9205b2172db9d7e511af5227b209 Mon Sep 17 00:00:00 2001 From: r3g_5z Date: Sat, 19 Nov 2022 23:12:02 -0500 Subject: [PATCH 1/5] Drop X-Download-Options It's an IE8-era header where Adobe products used to use the IE engine when making outbound web requests to embed webpages such as Adobe Acrobat. This is something that a secure and modern CSP would protect against. Signed-off-by: r3g_5z --- docs/docs/configuration/hardening.md | 1 - docs/docs/configuration/i2p.md | 1 - docs/docs/configuration/onion_federation.md | 1 - docs/docs/installation/openbsd_en.md | 1 - lib/pleroma/web/plugs/http_security_plug.ex | 1 - test/pleroma/web/plugs/http_security_plug_test.exs | 2 -- 6 files changed, 7 deletions(-) diff --git a/docs/docs/configuration/hardening.md b/docs/docs/configuration/hardening.md index 3011812fc..833e766bd 100644 --- a/docs/docs/configuration/hardening.md +++ b/docs/docs/configuration/hardening.md @@ -27,7 +27,6 @@ This will send additional HTTP security headers to the clients, including: * `X-Permitted-Cross-Domain-Policies: "none"` * `X-Frame-Options: "DENY"` * `X-Content-Type-Options: "nosniff"` -* `X-Download-Options: "noopen"` A content security policy (CSP) will also be set: diff --git a/docs/docs/configuration/i2p.md b/docs/docs/configuration/i2p.md index 981593366..ec6266ab7 100644 --- a/docs/docs/configuration/i2p.md +++ b/docs/docs/configuration/i2p.md @@ -160,7 +160,6 @@ server { add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; diff --git a/docs/docs/configuration/onion_federation.md b/docs/docs/configuration/onion_federation.md index 9fc1cef06..e4ae15fd2 100644 --- a/docs/docs/configuration/onion_federation.md +++ b/docs/docs/configuration/onion_federation.md @@ -104,7 +104,6 @@ server { add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; diff --git a/docs/docs/installation/openbsd_en.md b/docs/docs/installation/openbsd_en.md index 2b163df6d..e4ee661b1 100644 --- a/docs/docs/installation/openbsd_en.md +++ b/docs/docs/installation/openbsd_en.md @@ -165,7 +165,6 @@ http protocol plerup { # Protocol for upstream akkoma server match response header append "X-Frame-Options" value "DENY" match response header append "X-Content-Type-Options" value "nosniff" match response header append "Referrer-Policy" value "same-origin" - match response header append "X-Download-Options" value "noopen" match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here match request header append "Connection" value "upgrade" #match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" # Uncomment this only after you get HTTPS working. diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex index 5f36b77d1..725d5f177 100644 --- a/lib/pleroma/web/plugs/http_security_plug.ex +++ b/lib/pleroma/web/plugs/http_security_plug.ex @@ -47,7 +47,6 @@ def headers do {"x-frame-options", "DENY"}, {"x-content-type-options", "nosniff"}, {"referrer-policy", referrer_policy}, - {"x-download-options", "noopen"}, {"content-security-policy", csp_string()}, {"permissions-policy", "interest-cohort=()"} ] diff --git a/test/pleroma/web/plugs/http_security_plug_test.exs b/test/pleroma/web/plugs/http_security_plug_test.exs index 7f85f4a11..fee043f43 100644 --- a/test/pleroma/web/plugs/http_security_plug_test.exs +++ b/test/pleroma/web/plugs/http_security_plug_test.exs @@ -17,7 +17,6 @@ test "it sends CSP headers when enabled", %{conn: conn} do refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] refute Conn.get_resp_header(conn, "x-frame-options") == [] refute Conn.get_resp_header(conn, "x-content-type-options") == [] - refute Conn.get_resp_header(conn, "x-download-options") == [] refute Conn.get_resp_header(conn, "referrer-policy") == [] refute Conn.get_resp_header(conn, "content-security-policy") == [] end @@ -155,7 +154,6 @@ test "it does not send CSP headers when disabled", %{conn: conn} do assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == [] assert Conn.get_resp_header(conn, "x-frame-options") == [] assert Conn.get_resp_header(conn, "x-content-type-options") == [] - assert Conn.get_resp_header(conn, "x-download-options") == [] assert Conn.get_resp_header(conn, "referrer-policy") == [] assert Conn.get_resp_header(conn, "content-security-policy") == [] end -- 2.43.0 From 5b9936ce7f9d0e81b9af8efd8214c988cfb35f11 Mon Sep 17 00:00:00 2001 From: r3g_5z Date: Sat, 19 Nov 2022 23:40:36 -0500 Subject: [PATCH 2/5] Raise HSTS max age to 2 years The longer the better, and various HTTP header checkers now suggest a 2 year age. Signed-off-by: r3g_5z --- config/config.exs | 2 +- config/description.exs | 2 +- docs/docs/installation/openbsd_en.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/config.exs b/config/config.exs index ba77d8b02..cab4a0845 100644 --- a/config/config.exs +++ b/config/config.exs @@ -487,7 +487,7 @@ config :pleroma, :http_security, enabled: true, sts: false, - sts_max_age: 31_536_000, + sts_max_age: 63_072_000, ct_max_age: 2_592_000, referrer_policy: "same-origin" diff --git a/config/description.exs b/config/description.exs index 287abb747..cd1f00339 100644 --- a/config/description.exs +++ b/config/description.exs @@ -1750,7 +1750,7 @@ label: "STS max age", type: :integer, description: "The maximum age for the Strict-Transport-Security header if sent", - suggestions: [31_536_000] + suggestions: [63_072_000] }, %{ key: :ct_max_age, diff --git a/docs/docs/installation/openbsd_en.md b/docs/docs/installation/openbsd_en.md index e4ee661b1..8b2c459dc 100644 --- a/docs/docs/installation/openbsd_en.md +++ b/docs/docs/installation/openbsd_en.md @@ -167,7 +167,7 @@ http protocol plerup { # Protocol for upstream akkoma server match response header append "Referrer-Policy" value "same-origin" match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here match request header append "Connection" value "upgrade" - #match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" # Uncomment this only after you get HTTPS working. + #match response header append "Strict-Transport-Security" value "max-age=63072000; includeSubDomains" # Uncomment this only after you get HTTPS working. # If you do not want remote frontends to be able to access your Akkoma backend server, comment these lines match response header append "Access-Control-Allow-Origin" value "*" -- 2.43.0 From 828e0f56c5d28ef062e4cfdb34f14c2892b977fe Mon Sep 17 00:00:00 2001 From: r3g_5z Date: Sat, 19 Nov 2022 23:46:02 -0500 Subject: [PATCH 3/5] Drop Expect-CT The header has been redundant since 2018 as all CAs and browsers enforce certificate transparency already and is now a requirement. It's also not even implemented in others browsers except for Chrome, and Chrome 107 deprecates this header. Signed-off-by: r3g_5z --- config/config.exs | 1 - config/description.exs | 7 ------- docs/docs/configuration/cheatsheet.md | 1 - docs/docs/configuration/hardening.md | 4 ---- lib/pleroma/web/plugs/http_security_plug.ex | 4 +--- priv/gettext/ca/LC_MESSAGES/config_descriptions.po | 12 ------------ priv/gettext/config_descriptions.pot | 12 ------------ priv/gettext/es/LC_MESSAGES/config_descriptions.po | 12 ------------ priv/gettext/nl/LC_MESSAGES/config_descriptions.po | 12 ------------ test/pleroma/web/plugs/http_security_plug_test.exs | 2 -- 10 files changed, 1 insertion(+), 66 deletions(-) diff --git a/config/config.exs b/config/config.exs index cab4a0845..f586e3883 100644 --- a/config/config.exs +++ b/config/config.exs @@ -488,7 +488,6 @@ enabled: true, sts: false, sts_max_age: 63_072_000, - ct_max_age: 2_592_000, referrer_policy: "same-origin" config :cors_plug, diff --git a/config/description.exs b/config/description.exs index cd1f00339..b605bbd19 100644 --- a/config/description.exs +++ b/config/description.exs @@ -1752,13 +1752,6 @@ description: "The maximum age for the Strict-Transport-Security header if sent", suggestions: [63_072_000] }, - %{ - key: :ct_max_age, - label: "CT max age", - type: :integer, - description: "The maximum age for the Expect-CT header if sent", - suggestions: [2_592_000] - }, %{ key: :referrer_policy, type: :string, diff --git a/docs/docs/configuration/cheatsheet.md b/docs/docs/configuration/cheatsheet.md index 49c37147d..ee35d95bc 100644 --- a/docs/docs/configuration/cheatsheet.md +++ b/docs/docs/configuration/cheatsheet.md @@ -453,7 +453,6 @@ This will make Akkoma listen on `127.0.0.1` port `8080` and generate urls starti * ``enabled``: Whether the managed content security policy is enabled. * ``sts``: Whether to additionally send a `Strict-Transport-Security` header. * ``sts_max_age``: The maximum age for the `Strict-Transport-Security` header if sent. -* ``ct_max_age``: The maximum age for the `Expect-CT` header if sent. * ``referrer_policy``: The referrer policy to use, either `"same-origin"` or `"no-referrer"`. * ``report_uri``: Adds the specified url to `report-uri` and `report-to` group in CSP header. diff --git a/docs/docs/configuration/hardening.md b/docs/docs/configuration/hardening.md index 833e766bd..1e4179686 100644 --- a/docs/docs/configuration/hardening.md +++ b/docs/docs/configuration/hardening.md @@ -51,10 +51,6 @@ content-security-policy: An additional “Strict transport security” header will be sent with the configured `sts_max_age` parameter. This tells the browser, that the domain should only be accessed over a secure HTTPs connection. -#### `ct_max_age` - -An additional “Expect-CT” header will be sent with the configured `ct_max_age` parameter. This enforces the use of TLS certificates that are published in the certificate transparency log. (see [Expect-CT](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT)) - #### `referrer_policy` > Recommended value: `same-origin` diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex index 725d5f177..393ff58d3 100644 --- a/lib/pleroma/web/plugs/http_security_plug.ex +++ b/lib/pleroma/web/plugs/http_security_plug.ex @@ -236,11 +236,9 @@ def warn_if_disabled do defp maybe_send_sts_header(conn, true) do max_age_sts = Config.get([:http_security, :sts_max_age]) - max_age_ct = Config.get([:http_security, :ct_max_age]) merge_resp_headers(conn, [ - {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"}, - {"expect-ct", "enforce, max-age=#{max_age_ct}"} + {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"} ]) end diff --git a/priv/gettext/ca/LC_MESSAGES/config_descriptions.po b/priv/gettext/ca/LC_MESSAGES/config_descriptions.po index 3a25f067e..ad2177a9b 100644 --- a/priv/gettext/ca/LC_MESSAGES/config_descriptions.po +++ b/priv/gettext/ca/LC_MESSAGES/config_descriptions.po @@ -1936,12 +1936,6 @@ msgstr "" "What user agent to use. Must be a string or an atom `:default`. Default " "value is `:default`." -#: lib/pleroma/docs/translator.ex:5 -#, fuzzy -msgctxt "config description at :pleroma-:http_security > :ct_max_age" -msgid "The maximum age for the Expect-CT header if sent" -msgstr "The maximum age for the Expect-CT header if sent" - #: lib/pleroma/docs/translator.ex:5 #, fuzzy msgctxt "config description at :pleroma-:http_security > :enabled" @@ -4993,12 +4987,6 @@ msgctxt "config label at :pleroma-:http > :user_agent" msgid "User agent" msgstr "User agent" -#: lib/pleroma/docs/translator.ex:5 -#, fuzzy -msgctxt "config label at :pleroma-:http_security > :ct_max_age" -msgid "CT max age" -msgstr "CT max age" - #: lib/pleroma/docs/translator.ex:5 #, fuzzy msgctxt "config label at :pleroma-:http_security > :enabled" diff --git a/priv/gettext/config_descriptions.pot b/priv/gettext/config_descriptions.pot index 9021fbfab..1a55bfe68 100644 --- a/priv/gettext/config_descriptions.pot +++ b/priv/gettext/config_descriptions.pot @@ -1612,12 +1612,6 @@ msgctxt "config description at :pleroma-:http > :user_agent" msgid "What user agent to use. Must be a string or an atom `:default`. Default value is `:default`." msgstr "" -#, elixir-autogen, elixir-format -#: lib/pleroma/docs/translator.ex:5 -msgctxt "config description at :pleroma-:http_security > :ct_max_age" -msgid "The maximum age for the Expect-CT header if sent" -msgstr "" - #, elixir-autogen, elixir-format #: lib/pleroma/docs/translator.ex:5 msgctxt "config description at :pleroma-:http_security > :enabled" @@ -4048,12 +4042,6 @@ msgctxt "config label at :pleroma-:http > :user_agent" msgid "User agent" msgstr "" -#, elixir-autogen, elixir-format -#: lib/pleroma/docs/translator.ex:5 -msgctxt "config label at :pleroma-:http_security > :ct_max_age" -msgid "CT max age" -msgstr "" - #, elixir-autogen, elixir-format #: lib/pleroma/docs/translator.ex:5 msgctxt "config label at :pleroma-:http_security > :enabled" diff --git a/priv/gettext/es/LC_MESSAGES/config_descriptions.po b/priv/gettext/es/LC_MESSAGES/config_descriptions.po index 9c1acae20..f3602ce46 100644 --- a/priv/gettext/es/LC_MESSAGES/config_descriptions.po +++ b/priv/gettext/es/LC_MESSAGES/config_descriptions.po @@ -1759,12 +1759,6 @@ msgstr "" "What user agent to use. Must be a string or an atom `:default`. Default " "value is `:default`." -#: lib/pleroma/docs/translator.ex:5 -#, elixir-autogen, elixir-format, fuzzy -msgctxt "config description at :pleroma-:http_security > :ct_max_age" -msgid "The maximum age for the Expect-CT header if sent" -msgstr "The maximum age for the Expect-CT header if sent" - #: lib/pleroma/docs/translator.ex:5 #, elixir-autogen, elixir-format, fuzzy msgctxt "config description at :pleroma-:http_security > :enabled" @@ -4420,12 +4414,6 @@ msgctxt "config label at :pleroma-:http > :user_agent" msgid "User agent" msgstr "User agent" -#: lib/pleroma/docs/translator.ex:5 -#, elixir-autogen, elixir-format, fuzzy -msgctxt "config label at :pleroma-:http_security > :ct_max_age" -msgid "CT max age" -msgstr "CT max age" - #: lib/pleroma/docs/translator.ex:5 #, elixir-autogen, elixir-format, fuzzy msgctxt "config label at :pleroma-:http_security > :enabled" diff --git a/priv/gettext/nl/LC_MESSAGES/config_descriptions.po b/priv/gettext/nl/LC_MESSAGES/config_descriptions.po index 4def37366..8ce06bf38 100644 --- a/priv/gettext/nl/LC_MESSAGES/config_descriptions.po +++ b/priv/gettext/nl/LC_MESSAGES/config_descriptions.po @@ -1759,12 +1759,6 @@ msgstr "" "What user agent to use. Must be a string or an atom `:default`. Default " "value is `:default`." -#: lib/pleroma/docs/translator.ex:5 -#, elixir-autogen, elixir-format, fuzzy -msgctxt "config description at :pleroma-:http_security > :ct_max_age" -msgid "The maximum age for the Expect-CT header if sent" -msgstr "The maximum age for the Expect-CT header if sent" - #: lib/pleroma/docs/translator.ex:5 #, elixir-autogen, elixir-format, fuzzy msgctxt "config description at :pleroma-:http_security > :enabled" @@ -4420,12 +4414,6 @@ msgctxt "config label at :pleroma-:http > :user_agent" msgid "User agent" msgstr "User agent" -#: lib/pleroma/docs/translator.ex:5 -#, elixir-autogen, elixir-format, fuzzy -msgctxt "config label at :pleroma-:http_security > :ct_max_age" -msgid "CT max age" -msgstr "CT max age" - #: lib/pleroma/docs/translator.ex:5 #, elixir-autogen, elixir-format, fuzzy msgctxt "config label at :pleroma-:http_security > :enabled" diff --git a/test/pleroma/web/plugs/http_security_plug_test.exs b/test/pleroma/web/plugs/http_security_plug_test.exs index fee043f43..d6d841078 100644 --- a/test/pleroma/web/plugs/http_security_plug_test.exs +++ b/test/pleroma/web/plugs/http_security_plug_test.exs @@ -27,7 +27,6 @@ test "it sends STS headers when enabled", %{conn: conn} do conn = get(conn, "/api/v1/instance") refute Conn.get_resp_header(conn, "strict-transport-security") == [] - refute Conn.get_resp_header(conn, "expect-ct") == [] end test "it does not send STS headers when disabled", %{conn: conn} do @@ -36,7 +35,6 @@ test "it does not send STS headers when disabled", %{conn: conn} do conn = get(conn, "/api/v1/instance") assert Conn.get_resp_header(conn, "strict-transport-security") == [] - assert Conn.get_resp_header(conn, "expect-ct") == [] end test "referrer-policy header reflects configured value", %{conn: conn} do -- 2.43.0 From c08ee3edb2ac2a4029448fa9f4971722eb1d3566 Mon Sep 17 00:00:00 2001 From: r3g_5z Date: Sat, 19 Nov 2022 23:48:49 -0500 Subject: [PATCH 4/5] Directly specify preload for Strict-Transport-Security For most browsers, this is usually implied by the header itself, however for HSTS to be effective you need to submit your root domain to hstspreload.org. If "preload" is not in the header, it will reject your domain. Signed-off-by: r3g_5z --- docs/docs/installation/openbsd_en.md | 2 +- lib/pleroma/web/plugs/http_security_plug.ex | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs/installation/openbsd_en.md b/docs/docs/installation/openbsd_en.md index 8b2c459dc..a62421ee4 100644 --- a/docs/docs/installation/openbsd_en.md +++ b/docs/docs/installation/openbsd_en.md @@ -167,7 +167,7 @@ http protocol plerup { # Protocol for upstream akkoma server match response header append "Referrer-Policy" value "same-origin" match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here match request header append "Connection" value "upgrade" - #match response header append "Strict-Transport-Security" value "max-age=63072000; includeSubDomains" # Uncomment this only after you get HTTPS working. + #match response header append "Strict-Transport-Security" value "max-age=63072000; includeSubDomains; preload" # Uncomment this only after you get HTTPS working. # If you do not want remote frontends to be able to access your Akkoma backend server, comment these lines match response header append "Access-Control-Allow-Origin" value "*" diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex index 393ff58d3..9e76ebd84 100644 --- a/lib/pleroma/web/plugs/http_security_plug.ex +++ b/lib/pleroma/web/plugs/http_security_plug.ex @@ -238,7 +238,7 @@ defp maybe_send_sts_header(conn, true) do max_age_sts = Config.get([:http_security, :sts_max_age]) merge_resp_headers(conn, [ - {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"} + {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains; preload"} ]) end -- 2.43.0 From f26108dba149584f10648cb2fba4e86c0a6e57ff Mon Sep 17 00:00:00 2001 From: r3g_5z Date: Sun, 20 Nov 2022 00:34:53 -0500 Subject: [PATCH 5/5] Set base-uri to none pleroma-fe doesn't use this and it seems too niche to have any use-case Signed-off-by: r3g_5z --- docs/docs/configuration/hardening.md | 2 +- docs/docs/installation/openbsd_en.md | 2 +- lib/pleroma/web/plugs/http_security_plug.ex | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/docs/configuration/hardening.md b/docs/docs/configuration/hardening.md index 1e4179686..c5a9e160b 100644 --- a/docs/docs/configuration/hardening.md +++ b/docs/docs/configuration/hardening.md @@ -33,7 +33,7 @@ A content security policy (CSP) will also be set: ```csp content-security-policy: default-src 'none'; - base-uri 'self'; + base-uri 'none'; frame-ancestors 'none'; img-src 'self' data: blob: https:; media-src 'self' https:; diff --git a/docs/docs/installation/openbsd_en.md b/docs/docs/installation/openbsd_en.md index a62421ee4..9693467f2 100644 --- a/docs/docs/installation/openbsd_en.md +++ b/docs/docs/installation/openbsd_en.md @@ -165,7 +165,7 @@ http protocol plerup { # Protocol for upstream akkoma server match response header append "X-Frame-Options" value "DENY" match response header append "X-Content-Type-Options" value "nosniff" match response header append "Referrer-Policy" value "same-origin" - match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here + match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'none'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here match request header append "Connection" value "upgrade" #match response header append "Strict-Transport-Security" value "max-age=63072000; includeSubDomains; preload" # Uncomment this only after you get HTTPS working. diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex index 9e76ebd84..47874a980 100644 --- a/lib/pleroma/web/plugs/http_security_plug.ex +++ b/lib/pleroma/web/plugs/http_security_plug.ex @@ -75,7 +75,7 @@ def headers do static_csp_rules = [ "default-src 'none'", - "base-uri 'self'", + "base-uri 'none'", "frame-ancestors 'none'", "style-src 'self' 'unsafe-inline'", "font-src 'self'", -- 2.43.0