csp plug: add support for certificate transparency

diff --git a/config/config.exs b/config/config.exs
index ad8653025fd3c6a541488f76b213cf0f5bcc17bf..1d918919d96847433ef24f4499237f4075897ddb 100644 (file)
--- a/config/config.exs
+++ b/config/config.exs
@@ -179,7 +179,8 @@ config :pleroma, :suggestions,
 config :pleroma, :csp,
   enabled: true,
   sts: false,
-  sts_max_age: 31_536_000
+  sts_max_age: 31_536_000,
+  ct_max_age: 2_592_000
 
 config :cors_plug,
   max_age: 86_400,

diff --git a/config/config.md b/config/config.md
index e08d206b65962a4d16f3caf55171b1e7cb33dfaf..34f7035608b85c46f86b6cb85dd102c3c9c09e63 100644 (file)
--- a/config/config.md
+++ b/config/config.md
@@ -85,3 +85,4 @@ This section is used to configure Pleroma-FE, unless ``:managed_config`` in ``:i
 * ``enabled``: Whether the managed content security policy is enabled
 * ``sts``: Whether to additionally send a `Strict-Transport-Security` header
 * ``sts_max_age``: The maximum age for the `Strict-Transport-Security` header if sent
+* ``ct_max_age``: The maximum age for the `Except-CT` header if sent

diff --git a/lib/pleroma/plugs/csp_plug.ex b/lib/pleroma/plugs/csp_plug.ex
index 56f2376eefe1c304110dd09a671b6f37bf494370..8fc21b909b7eb5ac105b6f0aa69e07ddf3e7feda 100644 (file)
--- a/lib/pleroma/plugs/csp_plug.ex
+++ b/lib/pleroma/plugs/csp_plug.ex
@@ -44,10 +44,12 @@ defmodule Pleroma.Plugs.CSPPlug do
   end
 
   defp maybe_send_sts_header(conn, true) do
-    max_age = Config.get([:csp, :sts_max_age])
+    max_age_sts = Config.get([:csp, :sts_max_age])
+    max_age_ct = Config.get([:csp, :ct_max_age])
 
     merge_resp_headers(conn, [
-      {"strict-transport-security", "max-age=#{max_age}; includeSubDomains"}
+      {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"},
+      {"expect-ct", "enforce, max-age=#{max_age_ct}"}
     ])
   end