HTTP header improvements #294

Merged
floatingghost merged 5 commits from :http-header-improvements into develop 2022-11-20 21:20:06 +00:00
2 changed files with 2 additions and 2 deletions
Showing only changes of commit c08ee3edb2 - Show all commits

View file

@ -167,7 +167,7 @@ http protocol plerup { # Protocol for upstream akkoma server
match response header append "Referrer-Policy" value "same-origin" match response header append "Referrer-Policy" value "same-origin"
match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here
match request header append "Connection" value "upgrade" match request header append "Connection" value "upgrade"
#match response header append "Strict-Transport-Security" value "max-age=63072000; includeSubDomains" # Uncomment this only after you get HTTPS working. #match response header append "Strict-Transport-Security" value "max-age=63072000; includeSubDomains; preload" # Uncomment this only after you get HTTPS working.
# If you do not want remote frontends to be able to access your Akkoma backend server, comment these lines # If you do not want remote frontends to be able to access your Akkoma backend server, comment these lines
match response header append "Access-Control-Allow-Origin" value "*" match response header append "Access-Control-Allow-Origin" value "*"

View file

@ -238,7 +238,7 @@ defp maybe_send_sts_header(conn, true) do
max_age_sts = Config.get([:http_security, :sts_max_age]) max_age_sts = Config.get([:http_security, :sts_max_age])
merge_resp_headers(conn, [ merge_resp_headers(conn, [
{"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"} {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains; preload"}
]) ])
end end