akkoma/lib/pleroma/web
@r3g_5z@plem.sapphic.site 0e4c201f8d HTTP header improvements (#294)
- Drop Expect-CT

Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

- Raise HSTS to 2 years and explicitly preload

The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt.
For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain.

- Drop X-Download-Options

This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this.

- Set base-uri to 'none'

This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag.

I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed.

I have not compiled my Elixr changes, but I don't see why they'd break.

Co-authored-by: r3g_5z <june@terezi.dev>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/294
Co-authored-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
Co-committed-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
2022-11-20 21:20:06 +00:00
..
activity_pub microblogpub federation fixes (#288) 2022-11-18 11:14:35 +00:00
admin_api backend-i18n (#121) 2022-07-27 21:56:59 +00:00
akkoma_api/controllers Add enabled check on /translation/languages 2022-11-06 22:55:26 +00:00
api_spec Unilateral remove from followers (#232) 2022-10-19 10:01:14 +00:00
auth Fix LDAP user registration (#229) 2022-11-01 14:17:55 +00:00
common_api Post editing (#202) 2022-09-06 19:24:02 +00:00
fallback Add configurable theme color (#53) 2022-07-06 20:00:43 +00:00
federator Remove debug prints 2022-06-25 18:43:19 +01:00
feed maintenance: dependency upgrade (#81) 2022-07-18 00:56:35 +00:00
mailer Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
mastodon_api Include requested_by in relationship (#260) 2022-11-10 03:16:32 +00:00
media_proxy Use uppercase HTTP HEAD method for media preview proxy request (#128) 2022-07-30 21:58:14 +00:00
metadata Metadata/Utils: use summary as description if set 2022-09-11 19:55:38 +01:00
mongoose_im Change user.deactivated field to user.is_active 2021-01-15 11:24:46 -06:00
nodeinfo expose bubble instances via nodeinfo (#136) 2022-08-02 09:11:22 +00:00
o_auth Disconnect streaming sessions when token is revoked 2022-08-27 19:07:48 +01:00
o_status check for local_public? on AP route 2022-06-22 16:35:12 +01:00
pleroma_api Make backups require its own scope (#218) 2022-09-19 17:31:35 +00:00
plugs HTTP header improvements (#294) 2022-11-20 21:20:06 +00:00
preload/providers Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
push Push.Impl: support edits 2022-10-28 01:20:19 -04:00
rich_media remove all endpoints marked as deprecated (#91) 2022-07-20 12:00:58 +00:00
static_fe Merge remote-tracking branch 'origin/develop' into notice-routes 2021-12-25 19:57:53 -06:00
templates Remote interaction with posts (#198) 2022-09-08 10:19:22 +00:00
twitter_api Remote interaction with posts (#198) 2022-09-08 10:19:22 +00:00
utils Pleroma.Web.Params --> Pleroma.Web.Utils.Params 2021-06-08 12:50:47 -05:00
views Post editing (#202) 2022-09-06 19:24:02 +00:00
web_finger Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
api_spec.ex purge chat and shout endpoints 2022-07-21 11:29:28 +01:00
common_api.ex Post editing (#202) 2022-09-06 19:24:02 +00:00
controller_helper.ex Pleroma.Web.Params --> Pleroma.Web.Utils.Params 2021-06-08 12:50:47 -05:00
embed_controller.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
endpoint.ex Remove instrumentors (#98) 2022-07-21 11:32:17 +00:00
federator.ex and i yoink (#275) 2022-11-14 15:07:26 +00:00
gettext.ex Fix incorrect fallback when English is set to first language 2022-06-29 20:47:10 +01:00
instance_document.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
manifest_controller.ex Expose /manifest.json for PWA 2021-11-24 17:50:55 -06:00
masto_fe_controller.ex API compatibility with fedibird, frontend config (#163) 2022-08-17 00:22:59 +00:00
media_proxy.ex media_proxy: switch from :crypto.hmac to :crypto.mac 2021-06-03 19:11:15 +02:00
metadata.ex Add configurable theme color (#53) 2022-07-06 20:00:43 +00:00
o_auth.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
pipelines.ex Remove precompiled javascript (#55) 2022-07-08 13:03:18 +00:00
plug.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
preload.ex Remove unused Logger 2021-09-01 14:56:48 -05:00
push.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
rel_me.ex Use finch everywhere (#33) 2022-07-04 16:30:38 +00:00
router.ex Unilateral remove from followers (#232) 2022-10-19 10:01:14 +00:00
streamer.ex Post editing (#202) 2022-09-06 19:24:02 +00:00
swagger.ex remove anonymous function from plug 2022-07-14 11:17:14 +01:00
translation_helpers.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
uploader_controller.ex Bump Copyright to 2021 2021-01-13 07:49:50 +01:00
web_finger.ex User: generate private keys on user creation 2022-09-11 19:54:37 +01:00
xml.ex respect content-type header in finger request 2021-03-19 18:53:55 +03:00