mirror of
https://akkoma.dev/AkkomaGang/akkoma.git
synced 2024-11-17 20:46:11 +00:00
Drop XSS auditor
It's deprecated, removed in some, by all modern browsers and is known to create XSS vulnerabilities in itself. Signed-off-by: r3g_5z <june@terezi.dev>
This commit is contained in:
parent
fb5f846e8c
commit
f90552f62e
|
@ -23,7 +23,7 @@ This sets the `secure` flag on Akkoma’s session cookie. This makes sure, that
|
|||
|
||||
This will send additional HTTP security headers to the clients, including:
|
||||
|
||||
* `X-XSS-Protection: "1; mode=block"`
|
||||
* `X-XSS-Protection: "0"`
|
||||
* `X-Permitted-Cross-Domain-Policies: "none"`
|
||||
* `X-Frame-Options: "DENY"`
|
||||
* `X-Content-Type-Options: "nosniff"`
|
||||
|
|
|
@ -155,7 +155,7 @@ server {
|
|||
|
||||
location / {
|
||||
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-XSS-Protection "0";
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
|
|
@ -99,7 +99,7 @@ server {
|
|||
|
||||
location / {
|
||||
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-XSS-Protection "0";
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
|
|
@ -160,7 +160,7 @@ http protocol plerup { # Protocol for upstream akkoma server
|
|||
match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt
|
||||
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
|
||||
|
||||
match response header append "X-XSS-Protection" value "1; mode=block"
|
||||
match response header append "X-XSS-Protection" value "0"
|
||||
match response header append "X-Permitted-Cross-Domain-Policies" value "none"
|
||||
match response header append "X-Frame-Options" value "DENY"
|
||||
match response header append "X-Content-Type-Options" value "nosniff"
|
||||
|
|
|
@ -42,7 +42,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
|
|||
custom_http_frontend_headers = custom_http_frontend_headers()
|
||||
|
||||
headers = [
|
||||
{"x-xss-protection", "1; mode=block"},
|
||||
{"x-xss-protection", "0"},
|
||||
{"x-permitted-cross-domain-policies", "none"},
|
||||
{"x-frame-options", "DENY"},
|
||||
{"x-content-type-options", "nosniff"},
|
||||
|
|
Loading…
Reference in a new issue