gotosocial/internal/middleware
Daenney 02d6e2e3bc
[feature] Set some security related headers (#3065)
* Set frame-ancestors in the CSP
   This ensures we can't be loaded/embedded in an iframe. It also sets the
   older X-Frame-Options for fallback.
* Disable MIME type sniffing
* Set Referrer-Policy
   This sets the policy such that browsers will never send the Referer
   header along with a request, unless it's a request to the same protocol,
   host/domain and port. Basically, only send it when navigating through
   our own UI, but not anything external.

   The default is strict-origin-when-cross-origin when unset, which sends
   the Referer header for requests unless it's going from HTTPS to HTTP
   (i.e a security downgrade, hence the 'strict').
2024-07-04 10:07:02 +02:00
..
cachecontrol.go [bugfix] Set Vary header correctly on cache-control (#1988) 2023-07-13 21:27:25 +02:00
contentsecuritypolicy_test.go [feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151) 2023-08-23 14:32:27 +02:00
contentsecuritypolicy.go [feature] Set some security related headers (#3065) 2024-07-04 10:07:02 +02:00
cors.go [chore] Replace pinafore with semaphore (#1801) 2023-05-21 22:40:43 +02:00
extraheaders.go [feature] Set some security related headers (#3065) 2024-07-04 10:07:02 +02:00
gzip.go [chore] Improve copyright header handling (#1608) 2023-03-12 16:00:57 +01:00
headerfilter_test.go [feature] request blocking by http headers (#2409) 2023-12-18 14:18:25 +00:00
headerfilter.go [feature] request blocking by http headers (#2409) 2023-12-18 14:18:25 +00:00
logger.go [feature] Log pubKeyID for http-signed requests (#2501) 2024-01-09 10:41:15 +01:00
ratelimit_test.go [feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151) 2023-08-23 14:32:27 +02:00
ratelimit.go [feature] request blocking by http headers (#2409) 2023-12-18 14:18:25 +00:00
requestid.go [chore] ensure worker contexts have request ID (#2120) 2023-08-15 17:01:01 +01:00
session_test.go [chore] Improve copyright header handling (#1608) 2023-03-12 16:00:57 +01:00
session.go [chore] Improve copyright header handling (#1608) 2023-03-12 16:00:57 +01:00
signaturecheck.go [feature] Try HTTP signature validation with and without query params for incoming requests (#2591) 2024-01-31 14:15:28 +00:00
throttling_test.go [bugfix] increases sleep time before check in throttle test, to give more leeway (#2482) 2024-01-03 10:27:55 +00:00
throttling.go [performance] simpler throttling logic (#2407) 2023-12-16 12:53:42 +01:00
tokencheck.go [performance] remove last of relational queries to instead rely on caches (#2091) 2023-08-10 15:08:41 +01:00
useragent.go [feature] request blocking by http headers (#2409) 2023-12-18 14:18:25 +00:00
util.go [feature] request blocking by http headers (#2409) 2023-12-18 14:18:25 +00:00