cheerfulstoic/akkoma
1
0
Fork 0
forked from AkkomaGang/akkoma
Code Issues Pull requests Projects Releases Packages Wiki Activity
akkoma/lib/pleroma
History
@r3g_5z@plem.sapphic.site 0e4c201f8d HTTP header improvements (#294) 
- Drop Expect-CT

Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

- Raise HSTS to 2 years and explicitly preload

The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt.
For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain.

- Drop X-Download-Options

This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this.

- Set base-uri to 'none'

This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag.

I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed.

I have not compiled my Elixr changes, but I don't see why they'd break.

Co-authored-by: r3g_5z <june@terezi.dev>
Reviewed-on: AkkomaGang/akkoma#294
Co-authored-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
Co-committed-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
2022-11-20 21:20:06 +00:00
..
activity Post editing (#202) 2022-09-06 19:24:02 +00:00
akkoma Backend settings sync (#226) 2022-10-06 16:22:15 +00:00
captcha Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
collections GTS: cherry-picks and collection usage (#186) 2022-08-27 18:05:48 +00:00
config ensure .exs config is used before default (#197) 2022-09-02 22:05:39 +00:00
conversation Add API endpoint to remove a conversation 2021-02-15 21:48:13 +04:00
docs backend-i18n (#121) 2022-07-27 21:56:59 +00:00
ecto_type recipients fixes/hardening for CreateGenericValidator 2021-04-05 19:19:11 +02:00
emails Send emails i18n'd using backend-stored user language 2022-06-29 20:45:19 +01:00
emoji Fix emoji qualification (#124) 2022-07-28 12:02:36 +00:00
gun CI: Bump lint stage to elixir-1.12 2021-10-06 08:11:05 +02:00
helpers reuse valid oauth tokens (#182) 2022-08-25 14:37:51 +00:00
http microblogpub federation fixes (#288) 2022-11-18 11:14:35 +00:00
instances Remove unused pattern 2022-11-08 13:54:43 +00:00
mfa Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
migration_helper purge chat and shout endpoints 2022-07-21 11:29:28 +01:00
migrators [#3213] Code formatting fix. 2021-03-12 12:25:18 +03:00
object Set instance reachable on fetch 2022-11-15 17:23:47 +00:00
password Pbkdf2: Use it everywhere. 2021-01-14 15:06:16 +01:00
reverse_proxy Dirty hack to make mediaproxy functional by relying on Hackney for that part 2021-12-16 11:36:58 -06:00
search Fix false error in meilisearch index (#221) 2022-09-20 10:36:21 +00:00
tesla/middleware Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
tests Fix compile cycle in Pleroma.Tests.AuthTestController 2021-06-09 13:30:19 -05:00
upload Support metadata for video files too 2021-06-08 12:54:09 -05:00
uploaders Use finch everywhere (#33) 2022-07-04 16:30:38 +00:00
user User: search: exclude deactivated users from user search 2022-09-15 21:21:06 -04:00
web HTTP header improvements (#294) 2022-11-20 21:20:06 +00:00
workers and i yoink (#275) 2022-11-14 15:07:26 +00:00
activity.ex format 2022-10-10 17:13:42 +01:00
announcement.ex Merge branch 'from/upstream-develop/tusooa/server-announcements' into 'develop' (#85) 2022-07-18 13:08:36 +00:00
announcement_read_relationship.ex Merge branch 'from/upstream-develop/tusooa/server-announcements' into 'develop' (#85) 2022-07-18 13:08:36 +00:00
application.ex Don't mess with the cache on metadata update 2022-11-08 10:39:01 +00:00
application_requirements.ex Support metadata for video files too 2021-06-08 12:54:09 -05:00
bookmark.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
caching.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
captcha.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
clippy.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
config.ex Merge remote-tracking branch 'remotes/origin/develop' into feature/object-hashtags-rework 2021-02-23 13:58:35 +03:00
config_db.ex Revert guards on string_to_elixir_types/1, remove unnecessary assignment in test 2021-04-14 09:39:57 -05:00
constants.ex Post editing (#202) 2022-09-06 19:24:02 +00:00
conversation.ex Add API endpoint to remove a conversation 2021-02-15 21:48:13 +04:00
counter_cache.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
data_migration.ex [#3213] HashtagsTableMigrator state management refactoring & improvements (proper stats serialization etc.). 2021-02-16 23:14:15 +03:00
delivery.ex Merge remote-tracking branch 'remotes/origin/develop' into feature/object-hashtags-rework 2021-01-13 22:11:16 +03:00
ecto_enums.ex v2 Suggestions: dismiss a suggestion 2021-11-26 20:19:29 -06:00
emoji-test.txt emoji-test: update to latest 15.0 draft 2022-09-11 19:55:45 +01:00
emoji.ex add extra tests for builder 2022-09-05 01:24:40 +01:00
filter.ex support for expires_in/expires_at in filters 2021-01-26 08:27:45 +03:00
following_relationship.ex optimise notifications query 2022-10-11 11:40:43 +01:00
formatter.ex allow small/center tags in misskeymarkdown (#132) 2022-08-01 12:46:52 +00:00
frontend.ex Use finch everywhere (#33) 2022-07-04 16:30:38 +00:00
gun.ex Gun: make Gun.API a runtime dep 2021-05-29 10:53:30 -05:00
hashtag.ex Refactor ES on top of search behaviour 2022-06-30 16:28:31 +01:00
healthcheck.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
html.ex Break out activity-specific HTML functions into Pleroma.Activity.HTML 2021-05-29 12:29:11 -05:00
http.ex remove unneeded function 2022-08-03 11:50:48 +01:00
instances.ex Switch to runtime deps in Pleroma.Instances 2021-06-08 18:03:34 -05:00
job_queue_monitor.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
jwt.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
keys.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
list.ex ListController: Fix being unable to add / remove users. 2021-01-18 16:28:36 +01:00
logging.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
maintenance.ex Fix typo 2021-10-06 10:49:25 -05:00
maps.ex utils: Fix maybe_splice_recipient when "object" isn’t a map 2021-04-05 19:19:12 +02:00
marker.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
mfa.ex Pbkdf2: Use it everywhere. 2021-01-14 15:06:16 +01:00
moderation_log.ex purge chat and shout endpoints 2022-07-21 11:29:28 +01:00
notification.ex optimise notifications query 2022-10-11 11:40:43 +01:00
object.ex ObjectView: do not fetch an object for its ID 2022-09-11 19:52:59 +01:00
object_tombstone.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
otp_version.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
pagination.ex [#3213] Performance optimization of filtering by hashtags ("any" condition). 2021-03-07 11:33:21 +03:00
password_reset_token.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
registration.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
release_tasks.ex fix compatibility with meilisearch (#164) 2022-08-16 22:56:49 +00:00
repo.ex Remove instrumentors (#98) 2022-07-21 11:32:17 +00:00
report_note.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
reverse_proxy.ex Fix emoji qualification (#124) 2022-07-28 12:02:36 +00:00
scheduled_activity.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
search.ex Don't try removing deleted users and such from index as posts 2022-06-29 20:49:45 +01:00
signature.ex User: generate private keys on user creation 2022-09-11 19:54:37 +01:00
stats.ex don't use continue in Stats init for test env 2021-02-27 09:39:15 +03:00
thread_mute.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
upload.ex Post editing (#202) 2022-09-06 19:24:02 +00:00
user.ex microblogpub federation fixes (#288) 2022-11-18 11:14:35 +00:00
user_invite_token.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
user_note.ex MastoAPI: Add user notes on accounts 2021-11-21 16:56:26 +01:00
user_relationship.ex fix flaky test_user_relationship_test.exs:81 2022-10-23 13:31:01 +02:00
utils.ex extend custom runtime system (#108) 2022-07-24 16:42:43 +00:00
web.ex Refactor skipped plugs into Pleroma.Web functions 2021-06-08 19:15:04 -05:00
xml_builder.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00