pleroma/lib/pleroma/plugs/http_security_plug.ex

# Pleroma: A lightweight social networking server
# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Plugs.HTTPSecurityPlug do
  alias Pleroma.Config
  import Plug.Conn

  require Logger

  def init(opts), do: opts

  def call(conn, _options) do
    if Config.get([:http_security, :enabled]) do
      conn
      |> merge_resp_headers(headers())
      |> maybe_send_sts_header(Config.get([:http_security, :sts]))
    else
      conn
    end
  end

  defp headers do
    referrer_policy = Config.get([:http_security, :referrer_policy])
    report_uri = Config.get([:http_security, :report_uri])

    headers = [
      {"x-xss-protection", "1; mode=block"},
      {"x-permitted-cross-domain-policies", "none"},
      {"x-frame-options", "DENY"},
      {"x-content-type-options", "nosniff"},
      {"referrer-policy", referrer_policy},
      {"x-download-options", "noopen"},
      {"content-security-policy", csp_string() <> ";"}
    ]

    if report_uri do
      report_group = %{
        "group" => "csp-endpoint",
        "max-age" => 10_886_400,
        "endpoints" => [
          %{"url" => report_uri}
        ]
      }

      headers ++ [{"reply-to", Jason.encode!(report_group)}]
    else
      headers
    end
  end

  defp csp_string do
    scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme]
    static_url = Pleroma.Web.Endpoint.static_url()
    websocket_url = Pleroma.Web.Endpoint.websocket_url()
    report_uri = Config.get([:http_security, :report_uri])

    connect_src = "connect-src 'self' #{static_url} #{websocket_url}"

    connect_src =
      if Pleroma.Config.get(:env) == :dev do
        connect_src <> " http://localhost:3035/"
      else
        connect_src
      end

    script_src =
      if Pleroma.Config.get(:env) == :dev do
        "script-src 'self' 'unsafe-eval'"
      else
        "script-src 'self'"
      end

    main_part = [
      "default-src 'none'",
      "base-uri 'self'",
      "frame-ancestors 'none'",
      "img-src 'self' data: https:",
      "media-src 'self' https:",
      "style-src 'self' 'unsafe-inline'",
      "font-src 'self'",
      "manifest-src 'self'",
      connect_src,
      script_src
    ]

    report = if report_uri, do: ["report-uri #{report_uri}; report-to csp-endpoint"], else: []

    insecure = if scheme == "https", do: ["upgrade-insecure-requests"], else: []

    (main_part ++ report ++ insecure)
    |> Enum.join("; ")
  end

  def warn_if_disabled do
    unless Config.get([:http_security, :enabled]) do
      Logger.warn("HTTP Security is disabled. Add this line to you config to enable it:

      config :pleroma, :http_security, enabled: true
      ")
    end
  end

  defp maybe_send_sts_header(conn, true) do
    max_age_sts = Config.get([:http_security, :sts_max_age])
    max_age_ct = Config.get([:http_security, :ct_max_age])

    merge_resp_headers(conn, [
      {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"},
      {"expect-ct", "enforce, max-age=#{max_age_ct}"}
    ])
  end

  defp maybe_send_sts_header(conn, _), do: conn
end
add license boilerplate to pleroma core 2018-12-23 21:04:54 +01:00			`# Pleroma: A lightweight social networking server`
update copyright years to 2019 2018-12-31 16:41:47 +01:00			`# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>`
add license boilerplate to pleroma core 2018-12-23 21:04:54 +01:00			`# SPDX-License-Identifier: AGPL-3.0-only`

rename CSPPlug to HTTPSecurityPlug. 2018-11-12 16:08:02 +01:00			`defmodule Pleroma.Plugs.HTTPSecurityPlug do`
csp plug: add sts support 2018-11-11 07:50:28 +01:00			`alias Pleroma.Config`
plugs: add CSPPlug 2018-11-11 07:10:21 +01:00			`import Plug.Conn`

Warn if HTTPSecurityPlug is disabled 2020-01-28 15:04:13 +01:00			`require Logger`

plugs: add CSPPlug 2018-11-11 07:10:21 +01:00			`def init(opts), do: opts`

fix compile warnings 2018-12-09 10:12:48 +01:00			`def call(conn, _options) do`
rename CSPPlug to HTTPSecurityPlug. 2018-11-12 16:08:02 +01:00			`if Config.get([:http_security, :enabled]) do`
fix compile warnings 2018-12-09 10:12:48 +01:00			`conn`
			`\|> merge_resp_headers(headers())`
			`\|> maybe_send_sts_header(Config.get([:http_security, :sts]))`
csp plug: add sts support 2018-11-11 07:50:28 +01:00			`else`
			`conn`
			`end`
plugs: add CSPPlug 2018-11-11 07:10:21 +01:00			`end`

			`defp headers do`
http security: allow referrer-policy to be configured 2018-11-12 16:14:46 +01:00			`referrer_policy = Config.get([:http_security, :referrer_policy])`
add report uri and report to 2019-05-16 07:49:40 +02:00			`report_uri = Config.get([:http_security, :report_uri])`
http security: allow referrer-policy to be configured 2018-11-12 16:14:46 +01:00
add report uri and report to 2019-05-16 07:49:40 +02:00			`headers = [`
plugs: add CSPPlug 2018-11-11 07:10:21 +01:00			`{"x-xss-protection", "1; mode=block"},`
			`{"x-permitted-cross-domain-policies", "none"},`
			`{"x-frame-options", "DENY"},`
			`{"x-content-type-options", "nosniff"},`
http security: allow referrer-policy to be configured 2018-11-12 16:14:46 +01:00			`{"referrer-policy", referrer_policy},`
plugs: add CSPPlug 2018-11-11 07:10:21 +01:00			`{"x-download-options", "noopen"},`
			`{"content-security-policy", csp_string() <> ";"}`
			`]`
add report uri and report to 2019-05-16 07:49:40 +02:00
			`if report_uri do`
			`report_group = %{`
			`"group" => "csp-endpoint",`
			`"max-age" => 10_886_400,`
			`"endpoints" => [`
			`%{"url" => report_uri}`
			`]`
			`}`

			`headers ++ [{"reply-to", Jason.encode!(report_group)}]`
			`else`
			`headers`
			`end`
plugs: add CSPPlug 2018-11-11 07:10:21 +01:00			`end`

			`defp csp_string do`
Use url[:scheme] instead of protocol to determine if https is enabled 2019-02-12 00:08:52 +01:00			`scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme]`
Plugs.HTTPSecurityPlug: Add static_url to CSP's connect-src Closes: https://git.pleroma.social/pleroma/pleroma/merge_requests/469 2019-03-05 01:44:24 +01:00			`static_url = Pleroma.Web.Endpoint.static_url()`
Standardize construction of websocket URL This follows up on the change made in d747bd98 2019-05-03 13:45:04 +02:00			`websocket_url = Pleroma.Web.Endpoint.websocket_url()`
add report uri and report to 2019-05-16 07:49:40 +02:00			`report_uri = Config.get([:http_security, :report_uri])`
Plugs.HTTPSecurityPlug: Add static_url to CSP's connect-src Closes: https://git.pleroma.social/pleroma/pleroma/merge_requests/469 2019-03-05 01:44:24 +01:00
			`connect_src = "connect-src 'self' #{static_url} #{websocket_url}"`
Plugs.HTTPSecurityPlug: Add webpacker to connect-src 2019-02-02 19:06:26 +01:00
			`connect_src =`
Replace Mix.env with Pleroma.Config.get(:env) Mix.env/0 is not availible in release environments such as distillery or elixir's built-in releases. 2019-06-06 22:59:51 +02:00			`if Pleroma.Config.get(:env) == :dev do`
Plugs.HTTPSecurityPlug: Add static_url to CSP's connect-src Closes: https://git.pleroma.social/pleroma/pleroma/merge_requests/469 2019-03-05 01:44:24 +01:00			`connect_src <> " http://localhost:3035/"`
Plugs.HTTPSecurityPlug: Add webpacker to connect-src 2019-02-02 19:06:26 +01:00			`else`
Plugs.HTTPSecurityPlug: Add static_url to CSP's connect-src Closes: https://git.pleroma.social/pleroma/pleroma/merge_requests/469 2019-03-05 01:44:24 +01:00			`connect_src`
Plugs.HTTPSecurityPlug: Add webpacker to connect-src 2019-02-02 19:06:26 +01:00			`end`

			`script_src =`
Replace Mix.env with Pleroma.Config.get(:env) Mix.env/0 is not availible in release environments such as distillery or elixir's built-in releases. 2019-06-06 22:59:51 +02:00			`if Pleroma.Config.get(:env) == :dev do`
Plugs.HTTPSecurityPlug: Add webpacker to connect-src 2019-02-02 19:06:26 +01:00			`"script-src 'self' 'unsafe-eval'"`
			`else`
			`"script-src 'self'"`
			`end`
Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https This fixes running mastofe with MIX_ENV=dev 2018-11-26 21:40:29 +01:00
add report uri and report to 2019-05-16 07:49:40 +02:00			`main_part = [`
plugs: add CSPPlug 2018-11-11 07:10:21 +01:00			`"default-src 'none'",`
			`"base-uri 'self'",`
			`"frame-ancestors 'none'",`
			`"img-src 'self' data: https:",`
			`"media-src 'self' https:",`
			`"style-src 'self' 'unsafe-inline'",`
			`"font-src 'self'",`
Add manifest-src to allow manifest.json 2018-11-26 20:48:24 +01:00			`"manifest-src 'self'",`
Plugs.HTTPSecurityPlug: Add webpacker to connect-src 2019-02-02 19:06:26 +01:00			`connect_src,`
add report uri and report to 2019-05-16 07:49:40 +02:00			`script_src`
plugs: add CSPPlug 2018-11-11 07:10:21 +01:00			`]`
add report uri and report to 2019-05-16 07:49:40 +02:00
			`report = if report_uri, do: ["report-uri #{report_uri}; report-to csp-endpoint"], else: []`

			`insecure = if scheme == "https", do: ["upgrade-insecure-requests"], else: []`

			`(main_part ++ report ++ insecure)`
plugs: add CSPPlug 2018-11-11 07:10:21 +01:00			`\|> Enum.join("; ")`
			`end`
csp plug: add sts support 2018-11-11 07:50:28 +01:00
Warn if HTTPSecurityPlug is disabled 2020-01-28 15:04:13 +01:00			`def warn_if_disabled do`
			`unless Config.get([:http_security, :enabled]) do`
			`Logger.warn("HTTP Security is disabled. Add this line to you config to enable it:`

			`config :pleroma, :http_security, enabled: true`
			`")`
			`end`
			`end`

csp plug: add sts support 2018-11-11 07:50:28 +01:00			`defp maybe_send_sts_header(conn, true) do`
rename CSPPlug to HTTPSecurityPlug. 2018-11-12 16:08:02 +01:00			`max_age_sts = Config.get([:http_security, :sts_max_age])`
			`max_age_ct = Config.get([:http_security, :ct_max_age])`
csp plug: add sts support 2018-11-11 07:50:28 +01:00
			`merge_resp_headers(conn, [`
csp plug: add support for certificate transparency 2018-11-11 07:53:42 +01:00			`{"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"},`
			`{"expect-ct", "enforce, max-age=#{max_age_ct}"}`
csp plug: add sts support 2018-11-11 07:50:28 +01:00			`])`
			`end`

			`defp maybe_send_sts_header(conn, _), do: conn`
plugs: add CSPPlug 2018-11-11 07:10:21 +01:00			`end`