akkoma/lib/pleroma/web/plugs
@r3g_5z@plem.sapphic.site 0e4c201f8d
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
HTTP header improvements (#294)
- Drop Expect-CT

Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

- Raise HSTS to 2 years and explicitly preload

The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt.
For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain.

- Drop X-Download-Options

This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this.

- Set base-uri to 'none'

This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag.

I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed.

I have not compiled my Elixr changes, but I don't see why they'd break.

Co-authored-by: r3g_5z <june@terezi.dev>
Reviewed-on: #294
Co-authored-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
Co-committed-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
2022-11-20 21:20:06 +00:00
..
rate_limiter Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
admin_secret_authentication_plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
authentication_plug.ex Pbkdf2: Use it everywhere. 2021-01-14 15:06:16 +01:00
basic_auth_decoder_plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
cache.ex Skip cache when /objects or /activities is authenticated 2022-06-29 20:47:27 +01:00
digest_plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
ensure_authenticated_plug.ex [#2510] Improved support for app-bound OAuth tokens. Auth-related refactoring. 2021-02-11 15:02:50 +03:00
ensure_public_or_authenticated_plug.ex [#2510] Improved support for app-bound OAuth tokens. Auth-related refactoring. 2021-02-11 15:02:50 +03:00
ensure_staff_privileged_plug.ex EnsureStaffPrivilegedPlug: don't let non-moderators through 2021-12-27 17:18:26 -06:00
ensure_user_token_assigns_plug.ex [#2510] Improved support for app-bound OAuth tokens. Auth-related refactoring. 2021-02-11 15:02:50 +03:00
expect_authenticated_check_plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
expect_public_or_authenticated_check_plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
federating_plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
frontend_static.ex remove anonymous function from plug 2022-07-14 11:17:14 +01:00
http_security_plug.ex HTTP header improvements (#294) 2022-11-20 21:20:06 +00:00
http_signature_plug.ex GTS: cherry-picks and collection usage (#186) 2022-08-27 18:05:48 +00:00
idempotency_plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
instance_static.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
mapped_signature_to_identity_plug.ex Check that the signature matches the creator 2022-10-14 11:48:32 +01:00
o_auth_plug.ex OAuthPlug: use user cache instead of joining 2022-09-11 19:55:55 +01:00
o_auth_scopes_plug.ex OAuthScopesPlug: remove transform_scopes in favor of explicit admin scope definitions 2021-02-17 21:37:23 +03:00
plug_helper.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
rate_limiter.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
remote_ip.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
set_format_plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
set_locale_plug.ex Support multiple locales from userLanguage cookie 2022-06-29 20:47:10 +01:00
set_user_session_id_plug.ex Revert "Fix oauth2 (for real) (#179)" 2022-08-21 17:52:02 +01:00
static_fe_plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
trailing_format_plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
uploaded_media.ex strip \r and \r from content-disposition filenames 2022-11-10 11:54:12 +00:00
user_enabled_plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
user_fetcher_plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
user_is_admin_plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
user_is_staff_plug.ex Moderators: add UserIsStaffPlug 2021-07-12 21:57:52 -05:00
user_tracking_plug.ex Add active user count 2021-01-27 18:20:06 +04:00