Merge branch 'configurable-hsts' into fork

This commit is contained in:
Kay Faraday 2021-08-06 09:21:53 +00:00
commit 94c4a7bfdb
2 changed files with 11 additions and 1 deletions

View File

@ -286,3 +286,8 @@ MAX_REMOTE_EMOJI_SIZE=204800
# If unset, this defaults to "GNU Natalie Nguyen". If set to an empty string,
# the header is disabled.
# CLACKS_OVERHEAD=GNU Natalie Nguyen
# Whether to use HTTP Strict Transport Security.
# true and false toggle the default behavior.
# Any other value is used for the header as-is.
# HSTS=true

View File

@ -121,12 +121,17 @@ Rails.application.configure do
'X-XSS-Protection' => '1; mode=block',
'Permissions-Policy' => 'interest-cohort=()',
'Referrer-Policy' => 'same-origin',
'Strict-Transport-Security' => 'max-age=63072000; includeSubDomains; preload',
}
if not (clacks_overhead = ENV.fetch('CLACKS_OVERHEAD', 'GNU Natalie Nguyen')).empty?
config.action_dispatch.default_headers['X-Clacks-Overhead'] = clacks_overhead
end
if (hsts = ENV.fetch('HSTS', 'true')) == 'true'
config.action_dispatch.default_headers['Strict-Transport-Security'] = 'max-age=63072000; includeSubdomains; preload'
elsif hsts != 'false'
config.action_dispatch.default_headers['Strict-Transport-Security'] = hsts
end
config.x.otp_secret = ENV.fetch('OTP_SECRET')
end