0e4c201f8d
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
- Drop Expect-CT Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT - Raise HSTS to 2 years and explicitly preload The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt. For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain. - Drop X-Download-Options This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this. - Set base-uri to 'none' This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag. I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed. I have not compiled my Elixr changes, but I don't see why they'd break. Co-authored-by: r3g_5z <june@terezi.dev> Reviewed-on: #294 Co-authored-by: @r3g_5z@plem.sapphic.site <june@terezi.dev> Co-committed-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
158 lines
5.7 KiB
Elixir
158 lines
5.7 KiB
Elixir
# Pleroma: A lightweight social networking server
|
|
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
|
|
use Pleroma.Web.ConnCase
|
|
|
|
alias Plug.Conn
|
|
|
|
describe "http security enabled" do
|
|
setup do: clear_config([:http_security, :enabled], true)
|
|
|
|
test "it sends CSP headers when enabled", %{conn: conn} do
|
|
conn = get(conn, "/api/v1/instance")
|
|
|
|
refute Conn.get_resp_header(conn, "x-xss-protection") == []
|
|
refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
|
|
refute Conn.get_resp_header(conn, "x-frame-options") == []
|
|
refute Conn.get_resp_header(conn, "x-content-type-options") == []
|
|
refute Conn.get_resp_header(conn, "referrer-policy") == []
|
|
refute Conn.get_resp_header(conn, "content-security-policy") == []
|
|
end
|
|
|
|
test "it sends STS headers when enabled", %{conn: conn} do
|
|
clear_config([:http_security, :sts], true)
|
|
|
|
conn = get(conn, "/api/v1/instance")
|
|
|
|
refute Conn.get_resp_header(conn, "strict-transport-security") == []
|
|
end
|
|
|
|
test "it does not send STS headers when disabled", %{conn: conn} do
|
|
clear_config([:http_security, :sts], false)
|
|
|
|
conn = get(conn, "/api/v1/instance")
|
|
|
|
assert Conn.get_resp_header(conn, "strict-transport-security") == []
|
|
end
|
|
|
|
test "referrer-policy header reflects configured value", %{conn: conn} do
|
|
resp = get(conn, "/api/v1/instance")
|
|
|
|
assert Conn.get_resp_header(resp, "referrer-policy") == ["same-origin"]
|
|
|
|
clear_config([:http_security, :referrer_policy], "no-referrer")
|
|
|
|
resp = get(conn, "/api/v1/instance")
|
|
|
|
assert Conn.get_resp_header(resp, "referrer-policy") == ["no-referrer"]
|
|
end
|
|
|
|
test "it sends `report-to` & `report-uri` CSP response headers", %{conn: conn} do
|
|
conn = get(conn, "/api/v1/instance")
|
|
|
|
[csp] = Conn.get_resp_header(conn, "content-security-policy")
|
|
|
|
assert csp =~ ~r|report-uri https://endpoint.com;report-to csp-endpoint;|
|
|
|
|
[report_to] = Conn.get_resp_header(conn, "report-to")
|
|
|
|
assert report_to ==
|
|
"{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}"
|
|
end
|
|
|
|
test "default values for img-src and media-src with disabled media proxy", %{conn: conn} do
|
|
conn = get(conn, "/api/v1/instance")
|
|
|
|
[csp] = Conn.get_resp_header(conn, "content-security-policy")
|
|
assert csp =~ "media-src 'self' https:;"
|
|
assert csp =~ "img-src 'self' data: blob: https:;"
|
|
end
|
|
|
|
test "it sets the Service-Worker-Allowed header", %{conn: conn} do
|
|
clear_config([:http_security, :enabled], true)
|
|
clear_config([:frontends, :primary], %{"name" => "fedi-fe", "ref" => "develop"})
|
|
|
|
clear_config([:frontends, :available], %{
|
|
"fedi-fe" => %{
|
|
"name" => "fedi-fe",
|
|
"custom-http-headers" => [{"service-worker-allowed", "/"}]
|
|
}
|
|
})
|
|
|
|
conn = get(conn, "/api/v1/instance")
|
|
assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
|
|
end
|
|
end
|
|
|
|
describe "img-src and media-src" do
|
|
setup do
|
|
clear_config([:http_security, :enabled], true)
|
|
clear_config([:media_proxy, :enabled], true)
|
|
clear_config([:media_proxy, :proxy_opts, :redirect_on_failure], false)
|
|
end
|
|
|
|
test "media_proxy with base_url", %{conn: conn} do
|
|
url = "https://example.com"
|
|
clear_config([:media_proxy, :base_url], url)
|
|
assert_media_img_src(conn, url)
|
|
assert_connect_src(conn, url)
|
|
end
|
|
|
|
test "upload with base url", %{conn: conn} do
|
|
url = "https://example2.com"
|
|
clear_config([Pleroma.Upload, :base_url], url)
|
|
assert_media_img_src(conn, url)
|
|
assert_connect_src(conn, url)
|
|
end
|
|
|
|
test "with S3 public endpoint", %{conn: conn} do
|
|
url = "https://example3.com"
|
|
clear_config([Pleroma.Uploaders.S3, :public_endpoint], url)
|
|
assert_media_img_src(conn, url)
|
|
end
|
|
|
|
test "with captcha endpoint", %{conn: conn} do
|
|
clear_config([Pleroma.Captcha.Mock, :endpoint], "https://captcha.com")
|
|
assert_media_img_src(conn, "https://captcha.com")
|
|
end
|
|
|
|
test "with media_proxy whitelist", %{conn: conn} do
|
|
clear_config([:media_proxy, :whitelist], ["https://example6.com", "https://example7.com"])
|
|
assert_media_img_src(conn, "https://example7.com https://example6.com")
|
|
end
|
|
|
|
# TODO: delete after removing support bare domains for media proxy whitelist
|
|
test "with media_proxy bare domains whitelist (deprecated)", %{conn: conn} do
|
|
clear_config([:media_proxy, :whitelist], ["example4.com", "example5.com"])
|
|
assert_media_img_src(conn, "example5.com example4.com")
|
|
end
|
|
end
|
|
|
|
defp assert_media_img_src(conn, url) do
|
|
conn = get(conn, "/api/v1/instance")
|
|
[csp] = Conn.get_resp_header(conn, "content-security-policy")
|
|
assert csp =~ "media-src 'self' #{url};"
|
|
assert csp =~ "img-src 'self' data: blob: #{url};"
|
|
end
|
|
|
|
defp assert_connect_src(conn, url) do
|
|
conn = get(conn, "/api/v1/instance")
|
|
[csp] = Conn.get_resp_header(conn, "content-security-policy")
|
|
assert csp =~ ~r/connect-src 'self' blob: [^;]+ #{url}/
|
|
end
|
|
|
|
test "it does not send CSP headers when disabled", %{conn: conn} do
|
|
clear_config([:http_security, :enabled], false)
|
|
|
|
conn = get(conn, "/api/v1/instance")
|
|
|
|
assert Conn.get_resp_header(conn, "x-xss-protection") == []
|
|
assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
|
|
assert Conn.get_resp_header(conn, "x-frame-options") == []
|
|
assert Conn.get_resp_header(conn, "x-content-type-options") == []
|
|
assert Conn.get_resp_header(conn, "referrer-policy") == []
|
|
assert Conn.get_resp_header(conn, "content-security-policy") == []
|
|
end
|
|
end
|