diff --git a/CHANGELOG b/CHANGELOG index 2b260af..f42523e 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -8,6 +8,7 @@ Revision history for Lutim - Gzip static assets with Mojolicious::Plugin::GzipStatic - Fix scroll-to-top when clicking on delete image - Add CSP header + - Add X-Content-Type-Options, X-XSS-Protection, X-Frame-Options headers 0.10.4 2018-05-07 - Fix bug in cache system that would allow someone to view an image with an incorrect decryption key diff --git a/lib/Lutim.pm b/lib/Lutim.pm index 56c6640..fdf356c 100644 --- a/lib/Lutim.pm +++ b/lib/Lutim.pm @@ -27,34 +27,37 @@ sub startup { my $config = $self->plugin('Config', { default => { - provisioning => 100, - provis_step => 5, - length => 8, - always_encrypt => 0, - anti_flood_delay => 5, - tweet_card_via => '@framasky', - max_file_size => 10*1024*1024, - https => 0, - proposed_delays => '0,1,7,30,365', - default_delay => 0, - max_delay => 0, - token_length => 24, - crypto_key_length => 8, - thumbnail_size => 100, - theme => 'default', - dbtype => 'sqlite', - db_path => 'lutim.db', - max_files_in_zip => 15, - prefix => '/', - minion => { + provisioning => 100, + provis_step => 5, + length => 8, + always_encrypt => 0, + anti_flood_delay => 5, + tweet_card_via => '@framasky', + max_file_size => 10*1024*1024, + https => 0, + proposed_delays => '0,1,7,30,365', + default_delay => 0, + max_delay => 0, + token_length => 24, + crypto_key_length => 8, + thumbnail_size => 100, + theme => 'default', + dbtype => 'sqlite', + db_path => 'lutim.db', + max_files_in_zip => 15, + prefix => '/', + minion => { enabled => 0, dbtype => 'sqlite', db_path => 'minion.db' }, - cache_max_size => 0, - memcached_servers => [], - quiet_logs => 0, - disable_img_stats => 0, + cache_max_size => 0, + memcached_servers => [], + quiet_logs => 0, + disable_img_stats => 0, + x_frame_options => 'DENY', + x_content_type_options => 'nosniff', + x_xss_protection => '1; mode=block', } }); diff --git a/lib/Lutim/Plugin/Headers.pm b/lib/Lutim/Plugin/Headers.pm index 3697f7b..00fac6a 100644 --- a/lib/Lutim/Plugin/Headers.pm +++ b/lib/Lutim/Plugin/Headers.pm @@ -21,12 +21,12 @@ sub register { }; my $frame_ancestors = ''; - #$frame_ancestors = "'none'" if $app->config('x_frame_options') eq 'DENY'; - #$frame_ancestors = "'self'" if $app->config('x_frame_options') eq 'SAMEORIGIN'; - #if ($app->config('x_frame_options') =~ m#^ALLOW-FROM#) { - # $frame_ancestors = $app->config('x_frame_options'); - # $frame_ancestors =~ s#ALLOW-FROM +##; - #} + $frame_ancestors = "'none'" if $app->config('x_frame_options') eq 'DENY'; + $frame_ancestors = "'self'" if $app->config('x_frame_options') eq 'SAMEORIGIN'; + if ($app->config('x_frame_options') =~ m#^ALLOW-FROM#) { + $frame_ancestors = $app->config('x_frame_options'); + $frame_ancestors =~ s#ALLOW-FROM +##; + } $directives->{'frame-ancestors'} = $frame_ancestors if $frame_ancestors; $app->plugin('CSPHeader', @@ -34,6 +34,17 @@ sub register { directives => $directives ); } + + # Add other headers + $app->hook( + before_dispatch => sub { + my $c = shift; + + $c->res->headers->header('X-Frame-Options' => $app->config('x_frame_options')) if $app->config('x_frame_options'); + $c->res->headers->header('X-Content-Type-Options' => $app->config('x_content_type_options')) if $app->config('x_content_type_options'); + $c->res->headers->header('X-XSS-Protection' => $app->config('x_xss_protection')) if $app->config('x_xss_protection'); + } + ); } 1; diff --git a/lib/Mounter.pm b/lib/Mounter.pm index 4ca741f..4c08b29 100644 --- a/lib/Mounter.pm +++ b/lib/Mounter.pm @@ -22,34 +22,37 @@ sub startup { { file => $cfile, default => { - provisioning => 100, - provis_step => 5, - length => 8, - always_encrypt => 0, - anti_flood_delay => 5, - tweet_card_via => '@framasky', - max_file_size => 10*1024*1024, - https => 0, - proposed_delays => '0,1,7,30,365', - default_delay => 0, - max_delay => 0, - token_length => 24, - crypto_key_length => 8, - thumbnail_size => 100, - theme => 'default', - dbtype => 'sqlite', - db_path => 'lutim.db', - max_files_in_zip => 15, - prefix => '/', - minion => { + provisioning => 100, + provis_step => 5, + length => 8, + always_encrypt => 0, + anti_flood_delay => 5, + tweet_card_via => '@framasky', + max_file_size => 10*1024*1024, + https => 0, + proposed_delays => '0,1,7,30,365', + default_delay => 0, + max_delay => 0, + token_length => 24, + crypto_key_length => 8, + thumbnail_size => 100, + theme => 'default', + dbtype => 'sqlite', + db_path => 'lutim.db', + max_files_in_zip => 15, + prefix => '/', + minion => { enabled => 0, dbtype => 'sqlite', db_path => 'minion.db' }, - cache_max_size => 0, - memcached_servers => [], - quiet_logs => 0, - disable_img_stats => 0, + cache_max_size => 0, + memcached_servers => [], + quiet_logs => 0, + disable_img_stats => 0, + x_frame_options => 'DENY', + x_content_type_options => 'nosniff', + x_xss_protection => '1; mode=block', } } ); diff --git a/lutim.conf.template b/lutim.conf.template index 4986a2b..9fe0188 100644 --- a/lutim.conf.template +++ b/lutim.conf.template @@ -215,6 +215,27 @@ # the default value is good for `default` theme #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'", + # X-Frame-Options header that will be sent by Lstu + # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/' + # Set to '' to disable X-Frame-Options header + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly + # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) + # optional, default is 'DENY' + #x_frame_options => 'DENY', + + # X-Content-Type-Options that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + # Set to '' to disable X-Content-Type-Options header + # optional, default is 'nosniff' + #x_content_type_options => 'nosniff', + + # X-XSS-Protection that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + # Set to '' to disable X-XSS-Protection header + # optional, default is '1; mode=block' + #x_xss_protection => '1; mode=block', + ########################## # Lutim cron jobs settings ########################## diff --git a/t/postgresql1.conf b/t/postgresql1.conf index ba72024..39bb7b5 100644 --- a/t/postgresql1.conf +++ b/t/postgresql1.conf @@ -159,6 +159,11 @@ # } #}, + # disable counters of images + # set to 1 to disable counters + # optional, counters are enabled by default + #disable_img_stats => 0, + # define the height of the thumbnails generated at users' will # this is not the height of the thumbnails send after upload, # we're talking about thumbnails generated when someone asked for @@ -178,6 +183,10 @@ # maximum size (in MB) of memory allowed for the image cache # Lutim has a built-in memory-based image cache to accelerate responses to often-viewed images. # This setting makes the cache remove oldest viewed image if the cache size is over it. + # WARNING: a cache is created for each hypnotoad worker, which by default is twice the number of + # CPUs you have. See http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers for details + # So, if you have 4 workers and set cache_max_size to 100, the real maximum size of RAM used for + # cache is 400MB. # If set to 0, the cache is disabled # optional, default is 0 #cache_max_size => 0, @@ -191,6 +200,42 @@ # optional, default is [] #memcached_servers => [], + # enable or disable Lutim built-in logs + # set to 1 to disable logs + # optional, default is 0 + #quiet_logs => 0, + + # Content-Security-Policy header that will be sent by Lstu + # Set to '' to disable CSP header + # https://content-security-policy.com/ provides a good documentation about CSP. + # https://report-uri.com/home/generate provides a tool to generate a CSP header. + # optional, default is "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" + # NB: unsafe-inline for script-src and style-src are here only because morris, + # the graph library used in the stats page requires it + # the default value is good for `default` theme + #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'", + + # X-Frame-Options header that will be sent by Lstu + # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/' + # Set to '' to disable X-Frame-Options header + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly + # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) + # optional, default is 'DENY' + #x_frame_options => 'DENY', + + # X-Content-Type-Options that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + # Set to '' to disable X-Content-Type-Options header + # optional, default is 'nosniff' + #x_content_type_options => 'nosniff', + + # X-XSS-Protection that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + # Set to '' to disable X-XSS-Protection header + # optional, default is '1; mode=block' + #x_xss_protection => '1; mode=block', + ########################## # Lutim cron jobs settings ########################## diff --git a/t/postgresql2.conf b/t/postgresql2.conf index 7d7130f..60c92e2 100644 --- a/t/postgresql2.conf +++ b/t/postgresql2.conf @@ -159,6 +159,11 @@ # } }, + # disable counters of images + # set to 1 to disable counters + # optional, counters are enabled by default + #disable_img_stats => 0, + # define the height of the thumbnails generated at users' will # this is not the height of the thumbnails send after upload, # we're talking about thumbnails generated when someone asked for @@ -178,6 +183,10 @@ # maximum size (in MB) of memory allowed for the image cache # Lutim has a built-in memory-based image cache to accelerate responses to often-viewed images. # This setting makes the cache remove oldest viewed image if the cache size is over it. + # WARNING: a cache is created for each hypnotoad worker, which by default is twice the number of + # CPUs you have. See http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers for details + # So, if you have 4 workers and set cache_max_size to 100, the real maximum size of RAM used for + # cache is 400MB. # If set to 0, the cache is disabled # optional, default is 0 #cache_max_size => 0, @@ -191,6 +200,42 @@ # optional, default is [] #memcached_servers => [], + # enable or disable Lutim built-in logs + # set to 1 to disable logs + # optional, default is 0 + #quiet_logs => 0, + + # Content-Security-Policy header that will be sent by Lstu + # Set to '' to disable CSP header + # https://content-security-policy.com/ provides a good documentation about CSP. + # https://report-uri.com/home/generate provides a tool to generate a CSP header. + # optional, default is "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" + # NB: unsafe-inline for script-src and style-src are here only because morris, + # the graph library used in the stats page requires it + # the default value is good for `default` theme + #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'", + + # X-Frame-Options header that will be sent by Lstu + # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/' + # Set to '' to disable X-Frame-Options header + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly + # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) + # optional, default is 'DENY' + #x_frame_options => 'DENY', + + # X-Content-Type-Options that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + # Set to '' to disable X-Content-Type-Options header + # optional, default is 'nosniff' + #x_content_type_options => 'nosniff', + + # X-XSS-Protection that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + # Set to '' to disable X-XSS-Protection header + # optional, default is '1; mode=block' + #x_xss_protection => '1; mode=block', + ########################## # Lutim cron jobs settings ########################## diff --git a/t/postgresql3.conf b/t/postgresql3.conf index cb2bbe2..7252af3 100644 --- a/t/postgresql3.conf +++ b/t/postgresql3.conf @@ -159,6 +159,11 @@ } }, + # disable counters of images + # set to 1 to disable counters + # optional, counters are enabled by default + #disable_img_stats => 0, + # define the height of the thumbnails generated at users' will # this is not the height of the thumbnails send after upload, # we're talking about thumbnails generated when someone asked for @@ -178,6 +183,10 @@ # maximum size (in MB) of memory allowed for the image cache # Lutim has a built-in memory-based image cache to accelerate responses to often-viewed images. # This setting makes the cache remove oldest viewed image if the cache size is over it. + # WARNING: a cache is created for each hypnotoad worker, which by default is twice the number of + # CPUs you have. See http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers for details + # So, if you have 4 workers and set cache_max_size to 100, the real maximum size of RAM used for + # cache is 400MB. # If set to 0, the cache is disabled # optional, default is 0 #cache_max_size => 0, @@ -191,6 +200,42 @@ # optional, default is [] #memcached_servers => [], + # enable or disable Lutim built-in logs + # set to 1 to disable logs + # optional, default is 0 + #quiet_logs => 0, + + # Content-Security-Policy header that will be sent by Lstu + # Set to '' to disable CSP header + # https://content-security-policy.com/ provides a good documentation about CSP. + # https://report-uri.com/home/generate provides a tool to generate a CSP header. + # optional, default is "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" + # NB: unsafe-inline for script-src and style-src are here only because morris, + # the graph library used in the stats page requires it + # the default value is good for `default` theme + #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'", + + # X-Frame-Options header that will be sent by Lstu + # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/' + # Set to '' to disable X-Frame-Options header + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly + # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) + # optional, default is 'DENY' + #x_frame_options => 'DENY', + + # X-Content-Type-Options that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + # Set to '' to disable X-Content-Type-Options header + # optional, default is 'nosniff' + #x_content_type_options => 'nosniff', + + # X-XSS-Protection that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + # Set to '' to disable X-XSS-Protection header + # optional, default is '1; mode=block' + #x_xss_protection => '1; mode=block', + ########################## # Lutim cron jobs settings ########################## diff --git a/t/sqlite1.conf b/t/sqlite1.conf index aa6d84d..f29349f 100644 --- a/t/sqlite1.conf +++ b/t/sqlite1.conf @@ -159,6 +159,11 @@ # } #}, + # disable counters of images + # set to 1 to disable counters + # optional, counters are enabled by default + #disable_img_stats => 0, + # define the height of the thumbnails generated at users' will # this is not the height of the thumbnails send after upload, # we're talking about thumbnails generated when someone asked for @@ -178,6 +183,10 @@ # maximum size (in MB) of memory allowed for the image cache # Lutim has a built-in memory-based image cache to accelerate responses to often-viewed images. # This setting makes the cache remove oldest viewed image if the cache size is over it. + # WARNING: a cache is created for each hypnotoad worker, which by default is twice the number of + # CPUs you have. See http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers for details + # So, if you have 4 workers and set cache_max_size to 100, the real maximum size of RAM used for + # cache is 400MB. # If set to 0, the cache is disabled # optional, default is 0 #cache_max_size => 0, @@ -191,6 +200,42 @@ # optional, default is [] #memcached_servers => [], + # enable or disable Lutim built-in logs + # set to 1 to disable logs + # optional, default is 0 + #quiet_logs => 0, + + # Content-Security-Policy header that will be sent by Lstu + # Set to '' to disable CSP header + # https://content-security-policy.com/ provides a good documentation about CSP. + # https://report-uri.com/home/generate provides a tool to generate a CSP header. + # optional, default is "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" + # NB: unsafe-inline for script-src and style-src are here only because morris, + # the graph library used in the stats page requires it + # the default value is good for `default` theme + #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'", + + # X-Frame-Options header that will be sent by Lstu + # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/' + # Set to '' to disable X-Frame-Options header + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly + # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) + # optional, default is 'DENY' + #x_frame_options => 'DENY', + + # X-Content-Type-Options that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + # Set to '' to disable X-Content-Type-Options header + # optional, default is 'nosniff' + #x_content_type_options => 'nosniff', + + # X-XSS-Protection that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + # Set to '' to disable X-XSS-Protection header + # optional, default is '1; mode=block' + #x_xss_protection => '1; mode=block', + ########################## # Lutim cron jobs settings ########################## diff --git a/t/sqlite2.conf b/t/sqlite2.conf index 7907284..4ff1c0f 100644 --- a/t/sqlite2.conf +++ b/t/sqlite2.conf @@ -159,6 +159,11 @@ # } }, + # disable counters of images + # set to 1 to disable counters + # optional, counters are enabled by default + #disable_img_stats => 0, + # define the height of the thumbnails generated at users' will # this is not the height of the thumbnails send after upload, # we're talking about thumbnails generated when someone asked for @@ -178,6 +183,10 @@ # maximum size (in MB) of memory allowed for the image cache # Lutim has a built-in memory-based image cache to accelerate responses to often-viewed images. # This setting makes the cache remove oldest viewed image if the cache size is over it. + # WARNING: a cache is created for each hypnotoad worker, which by default is twice the number of + # CPUs you have. See http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers for details + # So, if you have 4 workers and set cache_max_size to 100, the real maximum size of RAM used for + # cache is 400MB. # If set to 0, the cache is disabled # optional, default is 0 #cache_max_size => 0, @@ -191,6 +200,42 @@ # optional, default is [] #memcached_servers => [], + # enable or disable Lutim built-in logs + # set to 1 to disable logs + # optional, default is 0 + #quiet_logs => 0, + + # Content-Security-Policy header that will be sent by Lstu + # Set to '' to disable CSP header + # https://content-security-policy.com/ provides a good documentation about CSP. + # https://report-uri.com/home/generate provides a tool to generate a CSP header. + # optional, default is "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" + # NB: unsafe-inline for script-src and style-src are here only because morris, + # the graph library used in the stats page requires it + # the default value is good for `default` theme + #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'", + + # X-Frame-Options header that will be sent by Lstu + # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/' + # Set to '' to disable X-Frame-Options header + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly + # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) + # optional, default is 'DENY' + #x_frame_options => 'DENY', + + # X-Content-Type-Options that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + # Set to '' to disable X-Content-Type-Options header + # optional, default is 'nosniff' + #x_content_type_options => 'nosniff', + + # X-XSS-Protection that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + # Set to '' to disable X-XSS-Protection header + # optional, default is '1; mode=block' + #x_xss_protection => '1; mode=block', + ########################## # Lutim cron jobs settings ########################## diff --git a/t/sqlite3.conf b/t/sqlite3.conf index c7d9a7d..0d6986f 100644 --- a/t/sqlite3.conf +++ b/t/sqlite3.conf @@ -159,6 +159,11 @@ } }, + # disable counters of images + # set to 1 to disable counters + # optional, counters are enabled by default + #disable_img_stats => 0, + # define the height of the thumbnails generated at users' will # this is not the height of the thumbnails send after upload, # we're talking about thumbnails generated when someone asked for @@ -178,6 +183,10 @@ # maximum size (in MB) of memory allowed for the image cache # Lutim has a built-in memory-based image cache to accelerate responses to often-viewed images. # This setting makes the cache remove oldest viewed image if the cache size is over it. + # WARNING: a cache is created for each hypnotoad worker, which by default is twice the number of + # CPUs you have. See http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers for details + # So, if you have 4 workers and set cache_max_size to 100, the real maximum size of RAM used for + # cache is 400MB. # If set to 0, the cache is disabled # optional, default is 0 #cache_max_size => 0, @@ -191,6 +200,42 @@ # optional, default is [] #memcached_servers => [], + # enable or disable Lutim built-in logs + # set to 1 to disable logs + # optional, default is 0 + #quiet_logs => 0, + + # Content-Security-Policy header that will be sent by Lstu + # Set to '' to disable CSP header + # https://content-security-policy.com/ provides a good documentation about CSP. + # https://report-uri.com/home/generate provides a tool to generate a CSP header. + # optional, default is "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" + # NB: unsafe-inline for script-src and style-src are here only because morris, + # the graph library used in the stats page requires it + # the default value is good for `default` theme + #csp => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'", + + # X-Frame-Options header that will be sent by Lstu + # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/' + # Set to '' to disable X-Frame-Options header + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly + # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) + # optional, default is 'DENY' + #x_frame_options => 'DENY', + + # X-Content-Type-Options that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + # Set to '' to disable X-Content-Type-Options header + # optional, default is 'nosniff' + #x_content_type_options => 'nosniff', + + # X-XSS-Protection that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + # Set to '' to disable X-XSS-Protection header + # optional, default is '1; mode=block' + #x_xss_protection => '1; mode=block', + ########################## # Lutim cron jobs settings ########################## diff --git a/t/test.t b/t/test.t index d8a3576..0172b97 100644 --- a/t/test.t +++ b/t/test.t @@ -26,33 +26,36 @@ BEGIN { { file => $cfile->to_abs->to_string, default => { - provisioning => 100, - provis_step => 5, - length => 8, - always_encrypt => 0, - anti_flood_delay => 5, - tweet_card_via => '@framasky', - max_file_size => 10*1024*1024, - https => 0, - proposed_delays => '0,1,7,30,365', - default_delay => 0, - max_delay => 0, - token_length => 24, - crypto_key_length => 8, - thumbnail_size => 100, - theme => 'default', - dbtype => 'sqlite', - db_path => 'lutim.db', - max_files_in_zip => 15, - prefix => '/', - minion => { + provisioning => 100, + provis_step => 5, + length => 8, + always_encrypt => 0, + anti_flood_delay => 5, + max_file_size => 10*1024*1024, + https => 0, + proposed_delays => '0,1,7,30,365', + default_delay => 0, + max_delay => 0, + token_length => 24, + crypto_key_length => 8, + thumbnail_size => 100, + theme => 'default', + dbtype => 'sqlite', + db_path => 'lutim.db', + max_files_in_zip => 15, + prefix => '/', + minion => { enabled => 0, dbtype => 'sqlite', db_path => 'minion.db' }, - cache_max_size => 0, - quiet_logs => 0, - disable_img_stats => 0, + cache_max_size => 0, + memcached_servers => [], + quiet_logs => 0, + disable_img_stats => 0, + x_frame_options => 'DENY', + x_content_type_options => 'nosniff', + x_xss_protection => '1; mode=block', } } ); @@ -64,7 +67,10 @@ my $t = Test::Mojo->new('Lutim'); $t->get_ok('/') ->status_is(200) ->content_like(qr/Let's Upload That IMage/i) - ->header_is('Content-Security-Policy' => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"); + ->header_is('Content-Security-Policy' => "base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'") + ->header_is('X-Frame-Options' => 'DENY') + ->header_is('X-XSS-Protection' => '1; mode=block') + ->header_is('X-Content-Type-Options' => 'nosniff'); # Gzip static assets $t->get_ok('/css/lutim.css') diff --git a/themes/default/lib/Lutim/I18N/lutim.pot b/themes/default/lib/Lutim/I18N/lutim.pot index 1c884ed..678b2af 100644 --- a/themes/default/lib/Lutim/I18N/lutim.pot +++ b/themes/default/lib/Lutim/I18N/lutim.pot @@ -32,11 +32,11 @@ msgstr "" msgid "-or-" msgstr "" -#: lib/Lutim.pm:217 lib/Lutim/Command/cron/stats.pm:151 lib/Lutim/Command/cron/stats.pm:165 lib/Lutim/Command/cron/stats.pm:182 themes/default/templates/index.html.ep:5 themes/default/templates/partial/raw.js.ep:25 themes/default/templates/partial/raw.js.ep:8 themes/default/templates/raw.html.ep:10 +#: lib/Lutim.pm:220 lib/Lutim/Command/cron/stats.pm:151 lib/Lutim/Command/cron/stats.pm:165 lib/Lutim/Command/cron/stats.pm:182 themes/default/templates/index.html.ep:5 themes/default/templates/partial/raw.js.ep:25 themes/default/templates/partial/raw.js.ep:8 themes/default/templates/raw.html.ep:10 msgid "1 year" msgstr "" -#: lib/Lutim.pm:216 lib/Lutim/Command/cron/stats.pm:148 lib/Lutim/Command/cron/stats.pm:162 lib/Lutim/Command/cron/stats.pm:179 themes/default/templates/index.html.ep:4 themes/default/templates/partial/for_my_delay.html.ep:13 themes/default/templates/partial/lutim.js.ep:149 themes/default/templates/partial/raw.js.ep:22 themes/default/templates/partial/raw.js.ep:5 themes/default/templates/raw.html.ep:7 +#: lib/Lutim.pm:219 lib/Lutim/Command/cron/stats.pm:148 lib/Lutim/Command/cron/stats.pm:162 lib/Lutim/Command/cron/stats.pm:179 themes/default/templates/index.html.ep:4 themes/default/templates/partial/for_my_delay.html.ep:13 themes/default/templates/partial/lutim.js.ep:149 themes/default/templates/partial/raw.js.ep:22 themes/default/templates/partial/raw.js.ep:5 themes/default/templates/raw.html.ep:7 msgid "24 hours" msgstr "" @@ -503,7 +503,7 @@ msgstr "" msgid "core developer" msgstr "" -#: lib/Lutim.pm:215 lib/Lutim/Command/cron/stats.pm:147 lib/Lutim/Command/cron/stats.pm:161 lib/Lutim/Command/cron/stats.pm:178 themes/default/templates/index.html.ep:3 themes/default/templates/partial/raw.js.ep:21 themes/default/templates/partial/raw.js.ep:4 themes/default/templates/raw.html.ep:6 +#: lib/Lutim.pm:218 lib/Lutim/Command/cron/stats.pm:147 lib/Lutim/Command/cron/stats.pm:161 lib/Lutim/Command/cron/stats.pm:178 themes/default/templates/index.html.ep:3 themes/default/templates/partial/raw.js.ep:21 themes/default/templates/partial/raw.js.ep:4 themes/default/templates/raw.html.ep:6 msgid "no time limit" msgstr ""