Merge branch 'feature/csp-plug' into 'develop'

migrate CSP management to CSPPlug

See merge request pleroma/pleroma!441

2 files changed, 14 insertions, 0 deletions

diff --git a/config/config.exs b/config/config.exs
index e82c490e3..9cc558564 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -176,6 +176,13 @@ config :pleroma, :suggestions,
   limit: 23,
   web: "https://vinayaka.distsn.org/?{{host}}+{{user}}"
 
+config :pleroma, :http_security,
+  enabled: true,
+  sts: false,
+  sts_max_age: 31_536_000,
+  ct_max_age: 2_592_000,
+  referrer_policy: "same-origin"
+
 config :cors_plug,
   max_age: 86_400,
   methods: ["POST", "PUT", "DELETE", "GET", "PATCH", "OPTIONS"],
diff --git a/config/config.md b/config/config.md
index 51172fc4d..5b4110646 100644
--- a/config/config.md
+++ b/config/config.md
@@ -80,3 +80,10 @@ This section is used to configure Pleroma-FE, unless ``:managed_config`` in ``:i
 * ``unfollow_blocked``: Whether blocks result in people getting unfollowed
 * ``outgoing_blocks``: Whether to federate blocks to other instances
 * ``deny_follow_blocked``: Whether to disallow following an account that has blocked the user in question
+
+## :http_security
+* ``enabled``: Whether the managed content security policy is enabled
+* ``sts``: Whether to additionally send a `Strict-Transport-Security` header
+* ``sts_max_age``: The maximum age for the `Strict-Transport-Security` header if sent
+* ``ct_max_age``: The maximum age for the `Expect-CT` header if sent
+* ``referrer_policy``: The referrer policy to use, either `"same-origin"` or `"no-referrer"`.