plugs: add CSPPlug
This commit is contained in:
parent
617aff4f0c
commit
f516e317ea
|
@ -0,0 +1,38 @@
|
||||||
|
defmodule Pleroma.Plugs.CSPPlug do
|
||||||
|
import Plug.Conn
|
||||||
|
|
||||||
|
def init(opts), do: opts
|
||||||
|
|
||||||
|
def call(conn, options) do
|
||||||
|
conn = merge_resp_headers(conn, headers())
|
||||||
|
end
|
||||||
|
|
||||||
|
defp headers do
|
||||||
|
[
|
||||||
|
{"x-xss-protection", "1; mode=block"},
|
||||||
|
{"x-permitted-cross-domain-policies", "none"},
|
||||||
|
{"x-frame-options", "DENY"},
|
||||||
|
{"x-content-type-options", "nosniff"},
|
||||||
|
{"referrer-policy", "same-origin"},
|
||||||
|
{"x-download-options", "noopen"},
|
||||||
|
{"content-security-policy", csp_string() <> ";"}
|
||||||
|
]
|
||||||
|
end
|
||||||
|
|
||||||
|
defp csp_string do
|
||||||
|
[
|
||||||
|
"default-src 'none'",
|
||||||
|
"base-uri 'self'",
|
||||||
|
"form-action *",
|
||||||
|
"frame-ancestors 'none'",
|
||||||
|
"img-src 'self' data: https:",
|
||||||
|
"media-src 'self' https:",
|
||||||
|
"style-src 'self' 'unsafe-inline'",
|
||||||
|
"font-src 'self'",
|
||||||
|
"script-src 'self'",
|
||||||
|
"connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
|
||||||
|
"upgrade-insecure-requests"
|
||||||
|
]
|
||||||
|
|> Enum.join("; ")
|
||||||
|
end
|
||||||
|
end
|
|
@ -12,6 +12,7 @@ defmodule Pleroma.Web.Endpoint do
|
||||||
# You should set gzip to true if you are running phoenix.digest
|
# You should set gzip to true if you are running phoenix.digest
|
||||||
# when deploying your static files in production.
|
# when deploying your static files in production.
|
||||||
plug(CORSPlug)
|
plug(CORSPlug)
|
||||||
|
plug(Pleroma.Plugs.CSPPlug)
|
||||||
|
|
||||||
plug(Plug.Static, at: "/media", from: Pleroma.Uploaders.Local.upload_path(), gzip: false)
|
plug(Plug.Static, at: "/media", from: Pleroma.Uploaders.Local.upload_path(), gzip: false)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue