summaryrefslogtreecommitdiff
path: root/installation
diff options
context:
space:
mode:
Diffstat (limited to 'installation')
-rw-r--r--installation/caddyfile-pleroma.example22
-rw-r--r--installation/pleroma-apache.conf9
-rw-r--r--installation/pleroma.nginx11
-rw-r--r--installation/pleroma.vcl10
4 files changed, 0 insertions, 52 deletions
diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example
index 305f2aa79..03ff000b6 100644
--- a/installation/caddyfile-pleroma.example
+++ b/installation/caddyfile-pleroma.example
@@ -21,28 +21,6 @@ example.tld {
ciphers ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256
}
- header / {
- X-XSS-Protection "1; mode=block"
- X-Frame-Options "DENY"
- X-Content-Type-Options "nosniff"
- Referrer-Policy "same-origin"
- Strict-Transport-Security "max-age=31536000; includeSubDomains;"
- Expect-CT "enforce, max-age=2592000"
- Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://{host}; upgrade-insecure-requests;"
- }
-
- # If you do not want remote frontends to be able to access your Pleroma backend server, remove these lines.
- # If you want to allow all origins access, remove the origin lines.
- # To use this directive, you need the http.cors plugin for Caddy.
- cors / {
- origin https://halcyon.example.tld
- origin https://pinafore.example.tld
- methods POST,PUT,DELETE,GET,PATCH,OPTIONS
- allowed_headers Authorization,Content-Type,Idempotency-Key
- exposed_headers Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id
- }
- # Stop removing lines here.
-
# If you do not want to use the mediaproxy function, remove these lines.
# To use this directive, you need the http.cache plugin for Caddy.
cache {
diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf
index fb777983e..d5e75044f 100644
--- a/installation/pleroma-apache.conf
+++ b/installation/pleroma-apache.conf
@@ -34,15 +34,6 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCompression off
SSLSessionTickets off
- Header always set X-Xss-Protection "1; mode=block"
- Header always set X-Frame-Options "DENY"
- Header always set X-Content-Type-Options "nosniff"
- Header always set Referrer-Policy same-origin
- Header always set Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://${servername}; upgrade-insecure-requests;"
-
- # Uncomment this only after you get HTTPS working.
- # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
-
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
diff --git a/installation/pleroma.nginx b/installation/pleroma.nginx
index 9b7419497..f0e684f2c 100644
--- a/installation/pleroma.nginx
+++ b/installation/pleroma.nginx
@@ -60,17 +60,6 @@ server {
client_max_body_size 16m;
location / {
- add_header X-XSS-Protection "1; mode=block" always;
- add_header X-Permitted-Cross-Domain-Policies "none" always;
- add_header X-Frame-Options "DENY" always;
- add_header X-Content-Type-Options "nosniff" always;
- add_header Referrer-Policy "same-origin" always;
- add_header X-Download-Options "noopen" always;
- add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action *; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://$server_name; upgrade-insecure-requests;" always;
-
- # Uncomment this only after you get HTTPS working.
- # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl
index 74490be2a..63c1cb74d 100644
--- a/installation/pleroma.vcl
+++ b/installation/pleroma.vcl
@@ -119,13 +119,3 @@ sub vcl_pipe {
set bereq.http.connection = req.http.connection;
}
}
-
-sub vcl_deliver {
- set resp.http.X-Frame-Options = "DENY";
- set resp.http.X-XSS-Protection = "1; mode=block";
- set resp.http.X-Content-Type-Options = "nosniff";
- set resp.http.Referrer-Policy = "same-origin";
- set resp.http.Content-Security-Policy = "default-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://" + req.http.host + "; upgrade-insecure-requests;";
- # Uncomment this only after you get HTTPS working.
- # set resp.http.Strict-Transport-Security= "max-age=31536000; includeSubDomains";
-}
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-24 22:31:18 +0000