fedi/akkoma
1
0
Fork 0
mirror of https://akkoma.dev/AkkomaGang/akkoma.git synced 2024-11-09 17:55:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Drop XSS auditor

Browse source 
It's deprecated, removed in some, by all modern browsers and is known
to create XSS vulnerabilities in itself.

Signed-off-by: r3g_5z <june@terezi.dev>
This commit is contained in:
r3g_5z 2022-11-19 20:40:20 -05:00
parent fb5f846e8c
commit f90552f62e
No known key found for this signature in database
5 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docs/docs/configuration/hardening.md
View file

@ -23,7 +23,7 @@ This sets the `secure` flag on Akkomas session cookie. This makes sure, that
This will send additional HTTP security headers to the clients, including: This will send additional HTTP security headers to the clients, including:
* `X-XSS-Protection: "1; mode=block"` * `X-XSS-Protection: "0"`
* `X-Permitted-Cross-Domain-Policies: "none"` * `X-Permitted-Cross-Domain-Policies: "none"`
* `X-Frame-Options: "DENY"` * `X-Frame-Options: "DENY"`
* `X-Content-Type-Options: "nosniff"` * `X-Content-Type-Options: "nosniff"`

2
docs/docs/configuration/i2p.md
View file

@ -155,7 +155,7 @@ server {
location / { location / {
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "0";
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;

2
docs/docs/configuration/onion_federation.md
View file

@ -99,7 +99,7 @@ server {
location / { location / {
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "0";
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;

2
docs/docs/installation/openbsd_en.md
View file

@ -160,7 +160,7 @@ http protocol plerup { # Protocol for upstream akkoma server
match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match response header append "X-XSS-Protection" value "1; mode=block" match response header append "X-XSS-Protection" value "0"
match response header append "X-Permitted-Cross-Domain-Policies" value "none" match response header append "X-Permitted-Cross-Domain-Policies" value "none"
match response header append "X-Frame-Options" value "DENY" match response header append "X-Frame-Options" value "DENY"
match response header append "X-Content-Type-Options" value "nosniff" match response header append "X-Content-Type-Options" value "nosniff"

2
lib/pleroma/web/plugs/http_security_plug.ex
View file

@ -42,7 +42,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
custom_http_frontend_headers = custom_http_frontend_headers() custom_http_frontend_headers = custom_http_frontend_headers()
headers = [ headers = [
{"x-xss-protection", "1; mode=block"}, {"x-xss-protection", "0"},
{"x-permitted-cross-domain-policies", "none"}, {"x-permitted-cross-domain-policies", "none"},
{"x-frame-options", "DENY"}, {"x-frame-options", "DENY"},
{"x-content-type-options", "nosniff"}, {"x-content-type-options", "nosniff"},