http security: allow referrer-policy to be configured

This commit is contained in:
William Pitcock 2018-11-12 15:14:46 +00:00
parent fe67665e19
commit ee5932a504
4 changed files with 22 additions and 2 deletions

View file

@ -180,7 +180,8 @@
enabled: true, enabled: true,
sts: false, sts: false,
sts_max_age: 31_536_000, sts_max_age: 31_536_000,
ct_max_age: 2_592_000 ct_max_age: 2_592_000,
referrer_policy: "same-origin"
config :cors_plug, config :cors_plug,
max_age: 86_400, max_age: 86_400,

View file

@ -86,3 +86,4 @@ This section is used to configure Pleroma-FE, unless ``:managed_config`` in ``:i
* ``sts``: Whether to additionally send a `Strict-Transport-Security` header * ``sts``: Whether to additionally send a `Strict-Transport-Security` header
* ``sts_max_age``: The maximum age for the `Strict-Transport-Security` header if sent * ``sts_max_age``: The maximum age for the `Strict-Transport-Security` header if sent
* ``ct_max_age``: The maximum age for the `Expect-CT` header if sent * ``ct_max_age``: The maximum age for the `Expect-CT` header if sent
* ``referrer_policy``: The referrer policy to use, either `"same-origin"` or `"no-referrer"`.

View file

@ -15,12 +15,14 @@ def call(conn, options) do
end end
defp headers do defp headers do
referrer_policy = Config.get([:http_security, :referrer_policy])
[ [
{"x-xss-protection", "1; mode=block"}, {"x-xss-protection", "1; mode=block"},
{"x-permitted-cross-domain-policies", "none"}, {"x-permitted-cross-domain-policies", "none"},
{"x-frame-options", "DENY"}, {"x-frame-options", "DENY"},
{"x-content-type-options", "nosniff"}, {"x-content-type-options", "nosniff"},
{"referrer-policy", "same-origin"}, {"referrer-policy", referrer_policy},
{"x-download-options", "noopen"}, {"x-download-options", "noopen"},
{"content-security-policy", csp_string() <> ";"} {"content-security-policy", csp_string() <> ";"}
] ]

View file

@ -58,4 +58,20 @@ test "it does not send STS headers when disabled", %{conn: conn} do
assert Conn.get_resp_header(conn, "strict-transport-security") == [] assert Conn.get_resp_header(conn, "strict-transport-security") == []
assert Conn.get_resp_header(conn, "expect-ct") == [] assert Conn.get_resp_header(conn, "expect-ct") == []
end end
test "referrer-policy header reflects configured value", %{conn: conn} do
conn =
conn
|> get("/api/v1/instance")
assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"]
Config.put([:http_security, :referrer_policy], "no-referrer")
conn =
build_conn()
|> get("/api/v1/instance")
assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"]
end
end end