X-Git-Url: https://git.squeep.com/?a=blobdiff_plain;f=lib%2Fpleroma%2Fweb%2Fplugs%2Fhttp_security_plug.ex;h=47874a980147561439e1894a4bcddd2134edc4b3;hb=0e4c201f8dd607f5f34a247e63ab968204946052;hp=5f36b77d166f217068db5d654ffd175d5dc53e94;hpb=6453297e9ce212279e7f6506bd04963092f48d77;p=akkoma diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex index 5f36b77d1..47874a980 100644 --- a/lib/pleroma/web/plugs/http_security_plug.ex +++ b/lib/pleroma/web/plugs/http_security_plug.ex @@ -47,7 +47,6 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do {"x-frame-options", "DENY"}, {"x-content-type-options", "nosniff"}, {"referrer-policy", referrer_policy}, - {"x-download-options", "noopen"}, {"content-security-policy", csp_string()}, {"permissions-policy", "interest-cohort=()"} ] @@ -76,7 +75,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do static_csp_rules = [ "default-src 'none'", - "base-uri 'self'", + "base-uri 'none'", "frame-ancestors 'none'", "style-src 'self' 'unsafe-inline'", "font-src 'self'", @@ -237,11 +236,9 @@ your instance and your users via malicious posts: defp maybe_send_sts_header(conn, true) do max_age_sts = Config.get([:http_security, :sts_max_age]) - max_age_ct = Config.get([:http_security, :ct_max_age]) merge_resp_headers(conn, [ - {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"}, - {"expect-ct", "enforce, max-age=#{max_age_ct}"} + {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains; preload"} ]) end