akkoma/lib/pleroma/web/plugs/http_security_plug.ex

254 lines
8 KiB
Elixir
Raw Normal View History

# Pleroma: A lightweight social networking server
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
2018-11-11 06:50:28 +00:00
alias Pleroma.Config
2018-11-11 06:10:21 +00:00
import Plug.Conn
2020-01-28 14:04:13 +00:00
require Logger
2023-04-14 15:36:40 +00:00
@mix_env Mix.env()
2018-11-11 06:10:21 +00:00
def init(opts), do: opts
2018-12-09 09:12:48 +00:00
def call(conn, _options) do
2018-11-12 15:08:02 +00:00
if Config.get([:http_security, :enabled]) do
2018-12-09 09:12:48 +00:00
conn
2022-12-15 02:02:07 +00:00
|> merge_resp_headers(headers(conn))
2018-12-09 09:12:48 +00:00
|> maybe_send_sts_header(Config.get([:http_security, :sts]))
2018-11-11 06:50:28 +00:00
else
conn
end
2018-11-11 06:10:21 +00:00
end
def primary_frontend do
with %{"name" => frontend} <- Config.get([:frontends, :primary]),
available <- Config.get([:frontends, :available]),
%{} = primary_frontend <- Map.get(available, frontend) do
{:ok, primary_frontend}
end
end
def custom_http_frontend_headers do
with {:ok, %{"custom-http-headers" => custom_headers}} <- primary_frontend() do
custom_headers
else
_ -> []
end
end
2022-12-15 02:02:07 +00:00
@spec headers(Plug.Conn.t()) :: [{String.t(), String.t()}]
def headers(conn) do
referrer_policy = Config.get([:http_security, :referrer_policy])
2019-05-16 05:49:40 +00:00
report_uri = Config.get([:http_security, :report_uri])
custom_http_frontend_headers = custom_http_frontend_headers()
2019-05-16 05:49:40 +00:00
headers = [
{"x-xss-protection", "0"},
2018-11-11 06:10:21 +00:00
{"x-permitted-cross-domain-policies", "none"},
{"x-frame-options", "DENY"},
{"x-content-type-options", "nosniff"},
{"referrer-policy", referrer_policy},
2022-12-15 02:02:07 +00:00
{"content-security-policy", csp_string(conn)},
{"permissions-policy", "interest-cohort=()"}
2018-11-11 06:10:21 +00:00
]
2019-05-16 05:49:40 +00:00
headers =
if custom_http_frontend_headers do
custom_http_frontend_headers ++ headers
else
headers
end
2019-05-16 05:49:40 +00:00
if report_uri do
report_group = %{
"group" => "csp-endpoint",
"max-age" => 10_886_400,
"endpoints" => [
%{"url" => report_uri}
]
}
[{"report-to", Jason.encode!(report_group)} | headers]
2019-05-16 05:49:40 +00:00
else
headers
end
2018-11-11 06:10:21 +00:00
end
static_csp_rules = [
"default-src 'none'",
HTTP header improvements (#294) - Drop Expect-CT Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT - Raise HSTS to 2 years and explicitly preload The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt. For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain. - Drop X-Download-Options This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this. - Set base-uri to 'none' This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag. I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed. I have not compiled my Elixr changes, but I don't see why they'd break. Co-authored-by: r3g_5z <june@terezi.dev> Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/294 Co-authored-by: @r3g_5z@plem.sapphic.site <june@terezi.dev> Co-committed-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
2022-11-20 21:20:06 +00:00
"base-uri 'none'",
"frame-ancestors 'none'",
"manifest-src 'self'"
]
@csp_start [Enum.join(static_csp_rules, ";") <> ";"]
2022-12-15 02:02:07 +00:00
defp csp_string(conn) do
scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme]
static_url = Pleroma.Web.Endpoint.static_url()
websocket_url = Pleroma.Web.Endpoint.websocket_url()
2019-05-16 05:49:40 +00:00
report_uri = Config.get([:http_security, :report_uri])
2022-12-15 02:02:07 +00:00
%{assigns: %{csp_nonce: nonce}} = conn
nonce_tag = "nonce-" <> nonce
img_src = "img-src 'self' data: blob:"
media_src = "media-src 'self'"
# Strict multimedia CSP enforcement only when MediaProxy is enabled
{img_src, media_src} =
if Config.get([:media_proxy, :enabled]) &&
!Config.get([:media_proxy, :proxy_opts, :redirect_on_failure]) do
sources = build_csp_multimedia_source_list()
{[img_src, sources], [media_src, sources]}
else
{[img_src, " https:"], [media_src, " https:"]}
end
2022-11-11 16:12:04 +00:00
connect_src =
if Config.get([:media_proxy, :enabled]) do
sources = build_csp_multimedia_source_list()
2023-01-02 15:21:19 +00:00
["connect-src 'self' ", static_url, ?\s, websocket_url, ?\s, sources]
2022-11-11 16:12:04 +00:00
else
2023-01-02 15:21:19 +00:00
["connect-src 'self' ", static_url, ?\s, websocket_url]
2022-11-11 16:12:04 +00:00
end
2023-01-02 15:21:19 +00:00
style_src = "style-src 'self' '#{nonce_tag}'"
font_src = "font-src 'self'"
2022-12-15 02:02:07 +00:00
2023-04-14 15:36:40 +00:00
script_src = "script-src 'self' '#{nonce_tag}' "
script_src = if @mix_env == :dev do
"script-src 'self' 'unsafe-eval' 'unsafe-inline'"
else
script_src
end
report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]
insecure = if scheme == "https", do: "upgrade-insecure-requests"
@csp_start
|> add_csp_param(img_src)
|> add_csp_param(media_src)
|> add_csp_param(connect_src)
|> add_csp_param(script_src)
2022-12-15 02:02:07 +00:00
|> add_csp_param(font_src)
|> add_csp_param(style_src)
|> add_csp_param(insecure)
|> add_csp_param(report)
|> :erlang.iolist_to_binary()
end
2019-05-16 05:49:40 +00:00
defp build_csp_from_whitelist([], acc), do: acc
defp build_csp_from_whitelist([last], acc) do
[build_csp_param_from_whitelist(last) | acc]
end
defp build_csp_from_whitelist([head | tail], acc) do
build_csp_from_whitelist(tail, [[?\s, build_csp_param_from_whitelist(head)] | acc])
end
# TODO: use `build_csp_param/1` after removing support bare domains for media proxy whitelist
defp build_csp_param_from_whitelist("http" <> _ = url) do
build_csp_param(url)
end
defp build_csp_param_from_whitelist(url), do: url
defp build_csp_multimedia_source_list do
media_proxy_whitelist =
[:media_proxy, :whitelist]
|> Config.get()
|> build_csp_from_whitelist([])
captcha_method = Config.get([Pleroma.Captcha, :method])
captcha_endpoint = Config.get([captcha_method, :endpoint])
base_endpoints =
[
[:media_proxy, :base_url],
[Pleroma.Upload, :base_url],
[Pleroma.Uploaders.S3, :public_endpoint]
]
|> Enum.map(&Config.get/1)
[captcha_endpoint | base_endpoints]
|> Enum.map(&build_csp_param/1)
|> Enum.reduce([], &add_source(&2, &1))
|> add_source(media_proxy_whitelist)
end
defp add_source(iodata, nil), do: iodata
defp add_source(iodata, []), do: iodata
defp add_source(iodata, source), do: [[?\s, source] | iodata]
defp add_csp_param(csp_iodata, nil), do: csp_iodata
2019-05-16 05:49:40 +00:00
defp add_csp_param(csp_iodata, param), do: [[param, ?;] | csp_iodata]
2018-11-11 06:50:28 +00:00
2020-07-06 15:59:41 +00:00
defp build_csp_param(nil), do: nil
defp build_csp_param(url) when is_binary(url) do
%{host: host, scheme: scheme} = URI.parse(url)
if scheme do
2020-07-06 16:28:08 +00:00
[scheme, "://", host]
end
end
2020-01-28 14:04:13 +00:00
def warn_if_disabled do
unless Config.get([:http_security, :enabled]) do
2020-01-29 14:43:23 +00:00
Logger.warn("
.i;;;;i.
iYcviii;vXY:
.YXi .i1c.
.YC. . in7.
.vc. ...... ;1c.
i7, .. .;1;
i7, .. ... .Y1i
,7v .6MMM@; .YX,
.7;. ..IMMMMMM1 :t7.
.;Y. ;$MMMMMM9. :tc.
vY. .. .nMMM@MMU. ;1v.
i7i ... .#MM@M@C. .....:71i
it: .... $MMM@9;.,i;;;i,;tti
:t7. ..... 0MMMWv.,iii:::,,;St.
.nC. ..... IMMMQ..,::::::,.,czX.
.ct: ....... .ZMMMI..,:::::::,,:76Y.
c2: ......,i..Y$M@t..:::::::,,..inZY
vov ......:ii..c$MBc..,,,,,,,,,,..iI9i
i9Y ......iii:..7@MA,..,,,,,,,,,....;AA:
iIS. ......:ii::..;@MI....,............;Ez.
.I9. ......:i::::...8M1..................C0z.
.z9; ......:i::::,.. .i:...................zWX.
vbv ......,i::::,,. ................. :AQY
c6Y. .,...,::::,,..:t0@@QY. ................ :8bi
:6S. ..,,...,:::,,,..EMMMMMMI. ............... .;bZ,
:6o, .,,,,..:::,,,..i#MMMMMM#v................. YW2.
.n8i ..,,,,,,,::,,,,.. tMMMMM@C:.................. .1Wn
7Uc. .:::,,,,,::,,,,.. i1t;,..................... .UEi
7C...::::::::::::,,,,.. .................... vSi.
;1;...,,::::::,......... .................. Yz:
v97,......... .voC.
izAotX7777777777777777777777777777777777777777Y7n92:
.;CoIIIIIUAA666666699999ZZZZZZZZZZZZZZZZZZZZ6ov.
2020-01-30 14:07:41 +00:00
HTTP Security is disabled. Please re-enable it to prevent users from attacking
your instance and your users via malicious posts:
2020-01-28 14:04:13 +00:00
config :pleroma, :http_security, enabled: true
")
end
end
2018-11-11 06:50:28 +00:00
defp maybe_send_sts_header(conn, true) do
2018-11-12 15:08:02 +00:00
max_age_sts = Config.get([:http_security, :sts_max_age])
2018-11-11 06:50:28 +00:00
merge_resp_headers(conn, [
HTTP header improvements (#294) - Drop Expect-CT Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT - Raise HSTS to 2 years and explicitly preload The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt. For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain. - Drop X-Download-Options This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this. - Set base-uri to 'none' This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag. I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed. I have not compiled my Elixr changes, but I don't see why they'd break. Co-authored-by: r3g_5z <june@terezi.dev> Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/294 Co-authored-by: @r3g_5z@plem.sapphic.site <june@terezi.dev> Co-committed-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
2022-11-20 21:20:06 +00:00
{"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains; preload"}
2018-11-11 06:50:28 +00:00
])
end
defp maybe_send_sts_header(conn, _), do: conn
2018-11-11 06:10:21 +00:00
end