HTTP header improvements #294

Merged

floatingghost merged 5 commits from :http-header-improvements into develop

2022-11-20 21:20:06 +00:00

Author	SHA1	Message	Date
r3g_5z	f26108dba1	Set base-uri to none ci/woodpecker/pr/woodpecker Pipeline was successful Details pleroma-fe doesn't use this and it seems too niche to have any use-case Signed-off-by: r3g_5z <june@terezi.dev>	2022-11-20 00:34:53 -05:00
r3g_5z	c08ee3edb2	Directly specify preload for Strict-Transport-Security For most browsers, this is usually implied by the header itself, however for HSTS to be effective you need to submit your root domain to hstspreload.org. If "preload" is not in the header, it will reject your domain. Signed-off-by: r3g_5z <june@terezi.dev>	2022-11-19 23:48:49 -05:00
r3g_5z	828e0f56c5	Drop Expect-CT The header has been redundant since 2018 as all CAs and browsers enforce certificate transparency already and is now a requirement. It's also not even implemented in others browsers except for Chrome, and Chrome 107 deprecates this header. Signed-off-by: r3g_5z <june@terezi.dev>	2022-11-19 23:46:02 -05:00
r3g_5z	5b9936ce7f	Raise HSTS max age to 2 years The longer the better, and various HTTP header checkers now suggest a 2 year age. Signed-off-by: r3g_5z <june@terezi.dev>	2022-11-19 23:40:36 -05:00
r3g_5z	413b40b510	Drop X-Download-Options It's an IE8-era header where Adobe products used to use the IE engine when making outbound web requests to embed webpages such as Adobe Acrobat. This is something that a secure and modern CSP would protect against. Signed-off-by: r3g_5z <june@terezi.dev>	2022-11-19 23:12:02 -05:00