Warn if HTTPSecurityPlug is disabled

lib/pleroma/application.ex

@@ -33,6 +33,7 @@ def user_agent do
   def start(_type, _args) do
     Pleroma.HTML.compile_scrubbers()
     Pleroma.Config.DeprecationWarnings.warn()
+    Pleroma.Plugs.HTTPSecurityPlug.warn_if_disabled()
     Pleroma.Repo.check_migrations_applied!()
     setup_instrumenters()
     load_custom_modules()

lib/pleroma/plugs/http_security_plug.ex

@@ -6,6 +6,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
   alias Pleroma.Config
   import Plug.Conn
 
+  require Logger
+
   def init(opts), do: opts
 
   def call(conn, _options) do
@@ -90,6 +92,15 @@ defp csp_string do
     |> Enum.join("; ")
   end
 
+  def warn_if_disabled do
+    unless Config.get([:http_security, :enabled]) do
+      Logger.warn("HTTP Security is disabled. Add this line to you config to enable it:
+
+      config :pleroma, :http_security, enabled: true
+      ")
+    end
+  end
+
   defp maybe_send_sts_header(conn, true) do
     max_age_sts = Config.get([:http_security, :sts_max_age])
     max_age_ct = Config.get([:http_security, :ct_max_age])