X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fpleroma%2Fweb%2Fendpoint.ex;h=7783b8e5cec06470e0281f466450cd612668654b;hb=0ce5623134de4356e74160f8d3e717aae414b1e7;hp=cbedca0046333196030b838363640e4be1c139d0;hpb=9908cf8fda7d47f23456033cd8c77126d14c81ab;p=akkoma

diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex
index cbedca004..7783b8e5c 100644
--- a/lib/pleroma/web/endpoint.ex
+++ b/lib/pleroma/web/endpoint.ex
@@ -11,13 +11,17 @@ defmodule Pleroma.Web.Endpoint do
   #
   # You should set gzip to true if you are running phoenix.digest
   # when deploying your static files in production.
-  plug(Plug.Static, at: "/media", from: Pleroma.Upload.upload_path(), gzip: false)
+  plug(CORSPlug)
+  plug(Pleroma.Plugs.HTTPSecurityPlug)
+
+  plug(Plug.Static, at: "/media", from: Pleroma.Uploaders.Local.upload_path(), gzip: false)
 
   plug(
     Plug.Static,
     at: "/",
     from: :pleroma,
-    only: ~w(index.html static finmoji emoji packs sounds images instance sw.js favicon.png)
+    only:
+      ~w(index.html static finmoji emoji packs sounds images instance sw.js favicon.png schemas)
   )
 
   # Code reloading can be explicitly enabled under the
@@ -49,7 +53,11 @@ defmodule Pleroma.Web.Endpoint do
     Plug.Session,
     store: :cookie,
     key: "_pleroma_key",
-    signing_salt: "CqaoopA2"
+    signing_salt: "CqaoopA2",
+    http_only: true,
+    secure:
+      Application.get_env(:pleroma, Pleroma.Web.Endpoint) |> Keyword.get(:secure_cookie_flag),
+    extra: "SameSite=Strict"
   )
 
   plug(Pleroma.Web.Router)