git.squeep.com Git - akkoma/blob - lib/pleroma/plugs/http_security_plug.ex

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Plugs.HTTPSecurityPlug do
   6   alias Pleroma.Config
   7   import Plug.Conn
   8
   9   require Logger
  10
  11   def init(opts), do: opts
  12
  13   def call(conn, _options) do
  14     if Config.get([:http_security, :enabled]) do
  15       conn
  16       |> merge_resp_headers(headers())
  17       |> maybe_send_sts_header(Config.get([:http_security, :sts]))
  18     else
  19       conn
  20     end
  21   end
  22
  23   defp headers do
  24     referrer_policy = Config.get([:http_security, :referrer_policy])
  25     report_uri = Config.get([:http_security, :report_uri])
  26
  27     headers = [
  28       {"x-xss-protection", "1; mode=block"},
  29       {"x-permitted-cross-domain-policies", "none"},
  30       {"x-frame-options", "DENY"},
  31       {"x-content-type-options", "nosniff"},
  32       {"referrer-policy", referrer_policy},
  33       {"x-download-options", "noopen"},
  34       {"content-security-policy", csp_string() <> ";"}
  35     ]
  36
  37     if report_uri do
  38       report_group = %{
  39         "group" => "csp-endpoint",
  40         "max-age" => 10_886_400,
  41         "endpoints" => [
  42           %{"url" => report_uri}
  43         ]
  44       }
  45
  46       headers ++ [{"reply-to", Jason.encode!(report_group)}]
  47     else
  48       headers
  49     end
  50   end
  51
  52   defp csp_string do
  53     scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme]
  54     static_url = Pleroma.Web.Endpoint.static_url()
  55     websocket_url = Pleroma.Web.Endpoint.websocket_url()
  56     report_uri = Config.get([:http_security, :report_uri])
  57
  58     connect_src = "connect-src 'self' #{static_url} #{websocket_url}"
  59
  60     connect_src =
  61       if Pleroma.Config.get(:env) == :dev do
  62         connect_src <> " http://localhost:3035/"
  63       else
  64         connect_src
  65       end
  66
  67     script_src =
  68       if Pleroma.Config.get(:env) == :dev do
  69         "script-src 'self' 'unsafe-eval'"
  70       else
  71         "script-src 'self'"
  72       end
  73
  74     main_part = [
  75       "default-src 'none'",
  76       "base-uri 'self'",
  77       "frame-ancestors 'none'",
  78       "img-src 'self' data: blob: https:",
  79       "media-src 'self' https:",
  80       "style-src 'self' 'unsafe-inline'",
  81       "font-src 'self'",
  82       "manifest-src 'self'",
  83       connect_src,
  84       script_src
  85     ]
  86
  87     report = if report_uri, do: ["report-uri #{report_uri}; report-to csp-endpoint"], else: []
  88
  89     insecure = if scheme == "https", do: ["upgrade-insecure-requests"], else: []
  90
  91     (main_part ++ report ++ insecure)
  92     |> Enum.join("; ")
  93   end
  94
  95   def warn_if_disabled do
  96     unless Config.get([:http_security, :enabled]) do
  97       Logger.warn("
  98                                  .i;;;;i.
  99                                iYcviii;vXY:
 100                              .YXi       .i1c.
 101                             .YC.     .    in7.
 102                            .vc.   ......   ;1c.
 103                            i7,   ..        .;1;
 104                           i7,   .. ...      .Y1i
 105                          ,7v     .6MMM@;     .YX,
 106                         .7;.   ..IMMMMMM1     :t7.
 107                        .;Y.     ;$MMMMMM9.     :tc.
 108                        vY.   .. .nMMM@MMU.      ;1v.
 109                       i7i   ...  .#MM@M@C. .....:71i
 110                      it:   ....   $MMM@9;.,i;;;i,;tti
 111                     :t7.  .....   0MMMWv.,iii:::,,;St.
 112                    .nC.   .....   IMMMQ..,::::::,.,czX.
 113                   .ct:   ....... .ZMMMI..,:::::::,,:76Y.
 114                   c2:   ......,i..Y$M@t..:::::::,,..inZY
 115                  vov   ......:ii..c$MBc..,,,,,,,,,,..iI9i
 116                 i9Y   ......iii:..7@MA,..,,,,,,,,,....;AA:
 117                iIS.  ......:ii::..;@MI....,............;Ez.
 118               .I9.  ......:i::::...8M1..................C0z.
 119              .z9;  ......:i::::,.. .i:...................zWX.
 120              vbv  ......,i::::,,.      ................. :AQY
 121             c6Y.  .,...,::::,,..:t0@@QY. ................ :8bi
 122            :6S. ..,,...,:::,,,..EMMMMMMI. ............... .;bZ,
 123           :6o,  .,,,,..:::,,,..i#MMMMMM#v.................  YW2.
 124          .n8i ..,,,,,,,::,,,,.. tMMMMM@C:.................. .1Wn
 125          7Uc. .:::,,,,,::,,,,..   i1t;,..................... .UEi
 126          7C...::::::::::::,,,,..        ....................  vSi.
 127          ;1;...,,::::::,.........       ..................    Yz:
 128           v97,.........                                     .voC.
 129            izAotX7777777777777777777777777777777777777777Y7n92:
 130              .;CoIIIIIUAA666666699999ZZZZZZZZZZZZZZZZZZZZ6ov.
 131
 132 HTTP Security is disabled. Please re-enable it to prevent users from attacking
 133 your instance and your users via malicious posts:
 134
 135       config :pleroma, :http_security, enabled: true
 136       ")
 137     end
 138   end
 139
 140   defp maybe_send_sts_header(conn, true) do
 141     max_age_sts = Config.get([:http_security, :sts_max_age])
 142     max_age_ct = Config.get([:http_security, :ct_max_age])
 143
 144     merge_resp_headers(conn, [
 145       {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"},
 146       {"expect-ct", "enforce, max-age=#{max_age_ct}"}
 147     ])
 148   end
 149
 150   defp maybe_send_sts_header(conn, _), do: conn
 151 end