Merge branch 'add-secure-and-samesite-cookie-flags' into 'develop'

[akkoma] / lib / pleroma / web / endpoint.ex

diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex
index fdf7fb72a09cab6eded0a5e370b097d9a8f4aa54..955bd61f3b59af9c5953f64f182ba9bf15e06532 100644 (file)
--- a/lib/pleroma/web/endpoint.ex
+++ b/lib/pleroma/web/endpoint.ex
@@ -11,7 +11,7 @@ defmodule Pleroma.Web.Endpoint do
   #
   # You should set gzip to true if you are running phoenix.digest
   # when deploying your static files in production.
-  plug(Plug.Static, at: "/media", from: "uploads", gzip: false)
+  plug(Plug.Static, at: "/media", from: Pleroma.Uploaders.Local.upload_path(), gzip: false)
 
   plug(
     Plug.Static,
@@ -34,7 +34,9 @@ defmodule Pleroma.Web.Endpoint do
     Plug.Parsers,
     parsers: [:urlencoded, :multipart, :json],
     pass: ["*/*"],
-    json_decoder: Jason
+    json_decoder: Jason,
+    length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit),
+    body_reader: {Pleroma.Web.Plugs.DigestPlug, :read_body, []}
   )
 
   plug(Plug.MethodOverride)
@@ -47,7 +49,11 @@ defmodule Pleroma.Web.Endpoint do
     Plug.Session,
     store: :cookie,
     key: "_pleroma_key",
-    signing_salt: "CqaoopA2"
+    signing_salt: "CqaoopA2",
+    http_only: true,
+    secure:
+      Application.get_env(:pleroma, Pleroma.Web.Endpoint) |> Keyword.get(:secure_cookie_flag),
+    extra: "SameSite=Strict"
   )
 
   plug(Pleroma.Web.Router)