diff options
Diffstat (limited to 'config')
-rw-r--r-- | config/application.rb | 11 | ||||
-rw-r--r-- | config/boot.rb | 2 | ||||
-rw-r--r-- | config/deploy.rb | 2 | ||||
-rw-r--r-- | config/environments/development.rb | 3 | ||||
-rw-r--r-- | config/environments/production.rb | 4 | ||||
-rw-r--r-- | config/environments/test.rb | 2 | ||||
-rw-r--r-- | config/initializers/content_security_policy.rb | 20 | ||||
-rw-r--r-- | config/initializers/cors.rb | 26 |
8 files changed, 56 insertions, 14 deletions
diff --git a/config/application.rb b/config/application.rb index 385bd4704..e989e2333 100644 --- a/config/application.rb +++ b/config/application.rb @@ -23,7 +23,7 @@ require_relative '../lib/mastodon/redis_config' module Mastodon class Application < Rails::Application # Initialize configuration defaults for originally generated Rails version. - config.load_defaults 5.1 + config.load_defaults 5.2 # Settings in config/environments/* take precedence over those specified here. # Application configuration should go into files in config/initializers @@ -85,15 +85,6 @@ module Mastodon config.active_job.queue_adapter = :sidekiq - config.middleware.insert_before 0, Rack::Cors do - allow do - origins '*' - resource '/@:username', headers: :any, methods: [:get], credentials: false - resource '/api/*', headers: :any, methods: [:post, :put, :delete, :get, :patch, :options], credentials: false, expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id'] - resource '/oauth/token', headers: :any, methods: [:post], credentials: false - end - end - config.middleware.use Rack::Attack config.middleware.use Rack::Deflater diff --git a/config/boot.rb b/config/boot.rb index 703738b76..0a3cd4ebe 100644 --- a/config/boot.rb +++ b/config/boot.rb @@ -1,7 +1,7 @@ ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__) require 'bundler/setup' # Set up gems listed in the Gemfile. -require 'bootsnap' +require 'bootsnap' # Speed up boot time by caching expensive operations. Bootsnap.setup( cache_dir: 'tmp/cache', diff --git a/config/deploy.rb b/config/deploy.rb index 3fd149f21..180dd1c2a 100644 --- a/config/deploy.rb +++ b/config/deploy.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -lock '3.10.0' +lock '3.10.1' set :repo_url, ENV.fetch('REPO', 'https://github.com/tootsuite/mastodon.git') set :branch, ENV.fetch('BRANCH', 'master') diff --git a/config/environments/development.rb b/config/environments/development.rb index 285fea8b8..b6478f16e 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -13,13 +13,14 @@ Rails.application.configure do config.consider_all_requests_local = true # Enable/disable caching. By default caching is disabled. + # Run rails dev:cache to toggle caching. if Rails.root.join('tmp/caching-dev.txt').exist? config.action_controller.perform_caching = true config.cache_store = :redis_store, ENV['REDIS_URL'], REDIS_CACHE_PARAMS config.public_file_server.headers = { - 'Cache-Control' => "public, max-age=#{2.days.seconds.to_i}", + 'Cache-Control' => "public, max-age=#{2.days.to_i}", } else config.action_controller.perform_caching = false diff --git a/config/environments/production.rb b/config/environments/production.rb index f372cd363..e742f668a 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -15,6 +15,10 @@ Rails.application.configure do config.action_controller.perform_caching = true config.action_controller.asset_host = ENV['CDN_HOST'] if ENV.key?('CDN_HOST') + # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"] + # or in config/master.key. This key is used to decrypt credentials (and other encrypted files). + # config.require_master_key = true + # Disable serving static files from the `/public` folder by default since # Apache or NGINX already handles this. config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present? diff --git a/config/environments/test.rb b/config/environments/test.rb index 122634d5b..1c1891561 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -15,7 +15,7 @@ Rails.application.configure do # Configure public file server for tests with Cache-Control for performance. config.public_file_server.enabled = true config.public_file_server.headers = { - 'Cache-Control' => "public, max-age=#{1.hour.seconds.to_i}" + 'Cache-Control' => "public, max-age=#{1.hour.to_i}" } config.assets.digest = false diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb new file mode 100644 index 000000000..37f2c0d45 --- /dev/null +++ b/config/initializers/content_security_policy.rb @@ -0,0 +1,20 @@ +# Define an application-wide content security policy +# For further information see the following documentation +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + +# Rails.application.config.content_security_policy do |p| +# p.default_src :self, :https +# p.font_src :self, :https, :data +# p.img_src :self, :https, :data +# p.object_src :none +# p.script_src :self, :https +# p.style_src :self, :https, :unsafe_inline +# +# # Specify URI for violation reports +# # p.report_uri "/csp-violation-report-endpoint" +# end + +# Report CSP violations to a specified URI +# For further information see the following documentation: +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only +# Rails.application.config.content_security_policy_report_only = true diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb new file mode 100644 index 000000000..681a7498f --- /dev/null +++ b/config/initializers/cors.rb @@ -0,0 +1,26 @@ +# Be sure to restart your server when you modify this file. + +# Avoid CORS issues when API is called from the frontend app. +# Handle Cross-Origin Resource Sharing (CORS) in order to accept cross-origin AJAX requests. + +# Read more: https://github.com/cyu/rack-cors + +Rails.application.config.middleware.insert_before 0, Rack::Cors do + allow do + origins '*' + + resource '/@:username', + headers: :any, + methods: [:get], + credentials: false + resource '/api/*', + headers: :any, + methods: [:post, :put, :delete, :get, :patch, :options], + credentials: false, + expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id'] + resource '/oauth/token', + headers: :any, + methods: [:post], + credentials: false + end +end |