about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--config/application.rb5
-rw-r--r--config/environments/production.rb11
2 files changed, 11 insertions, 5 deletions
diff --git a/config/application.rb b/config/application.rb
index ac63e0e94..dd63017b3 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -71,10 +71,13 @@ module Mastodon
     config.middleware.insert_before 0, Rack::Cors do
       allow do
         origins  '*'
-        resource '/assets/*', headers: :any, methods: [:get, :head, :options]
         resource '/@:username',  headers: :any, methods: [:get], credentials: false
         resource '/api/*',       headers: :any, methods: [:post, :put, :delete, :get, :patch, :options], credentials: false, expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id']
         resource '/oauth/token', headers: :any, methods: [:post], credentials: false
+        resource '/assets/*', headers: :any, methods: [:get, :head, :options]
+        resource '/stylesheets/*', headers: :any, methods: [:get, :head, :options]
+        resource '/javascripts/*', headers: :any, methods: [:get, :head, :options]
+        resource '/packs/*', headers: :any, methods: [:get, :head, :options]
       end
     end
 
diff --git a/config/environments/production.rb b/config/environments/production.rb
index bd87d79a7..68229531d 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -93,9 +93,12 @@ Rails.application.configure do
   end
 
   config.action_dispatch.default_headers = {
-    'Server'                 => 'Mastodon',
-    'X-Frame-Options'        => 'DENY',
-    'X-Content-Type-Options' => 'nosniff',
-    'X-XSS-Protection'       => '1; mode=block',
+    'Server'                  => 'Mastodon',
+    'X-Frame-Options'         => 'DENY',
+    'X-Content-Type-Options'  => 'nosniff',
+    'X-XSS-Protection'        => '1; mode=block',
+    'Content-Security-Policy' => "frame-ancestors 'none'; object-src 'none'; script-src 'self' https://dev-static.glitch.social 'unsafe-inline'; base-uri 'none';" , 
+    'Referrer-Policy'         => 'no-referrer, strict-origin-when-cross-origin',
+    'Strict-Transport-Security' => 'max-age=63072000; includeSubDomains; preload'
   }
 end