From: William Pitcock Date: Sun, 11 Nov 2018 06:53:42 +0000 (+0000) Subject: csp plug: add support for certificate transparency X-Git-Url: https://git.squeep.com/?a=commitdiff_plain;h=df72978dce3805157537e8fa1a2fec35fcf9a7cd;p=akkoma csp plug: add support for certificate transparency --- diff --git a/config/config.exs b/config/config.exs index ad8653025..1d918919d 100644 --- a/config/config.exs +++ b/config/config.exs @@ -179,7 +179,8 @@ config :pleroma, :suggestions, config :pleroma, :csp, enabled: true, sts: false, - sts_max_age: 31_536_000 + sts_max_age: 31_536_000, + ct_max_age: 2_592_000 config :cors_plug, max_age: 86_400, diff --git a/config/config.md b/config/config.md index e08d206b6..34f703560 100644 --- a/config/config.md +++ b/config/config.md @@ -85,3 +85,4 @@ This section is used to configure Pleroma-FE, unless ``:managed_config`` in ``:i * ``enabled``: Whether the managed content security policy is enabled * ``sts``: Whether to additionally send a `Strict-Transport-Security` header * ``sts_max_age``: The maximum age for the `Strict-Transport-Security` header if sent +* ``ct_max_age``: The maximum age for the `Except-CT` header if sent diff --git a/lib/pleroma/plugs/csp_plug.ex b/lib/pleroma/plugs/csp_plug.ex index 56f2376ee..8fc21b909 100644 --- a/lib/pleroma/plugs/csp_plug.ex +++ b/lib/pleroma/plugs/csp_plug.ex @@ -44,10 +44,12 @@ defmodule Pleroma.Plugs.CSPPlug do end defp maybe_send_sts_header(conn, true) do - max_age = Config.get([:csp, :sts_max_age]) + max_age_sts = Config.get([:csp, :sts_max_age]) + max_age_ct = Config.get([:csp, :ct_max_age]) merge_resp_headers(conn, [ - {"strict-transport-security", "max-age=#{max_age}; includeSubDomains"} + {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"}, + {"expect-ct", "enforce, max-age=#{max_age_ct}"} ]) end