security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity
8,252 Commits 2 Branches 4 Tags
Commit Graph

49 Commits

Author SHA1 Message Date
Daniel Micay
53c604e3cd raise fetchpriority for important images 
This was detected by PageSpeed Insights as an issue and it makes sense
to address it.
 2025-05-08 00:04:35 -04:00
smdyv
4430036ea2 Change string markings for replacements 2023-07-13 16:08:16 -04:00
Daniel Micay
fafee3dcbc drop legacy block-all-mixed-content 2023-07-11 11:23:57 -04:00
Daniel Micay
bfdffb6751 block WebRTC in Content Security Policy 2023-07-10 23:04:29 -04:00
Daniel Micay
8f2b158041 drop configuration to clear legacy push cookie 2023-03-24 18:46:50 -04:00
Daniel Micay
8649a94b53 update Roboto fonts 2023-03-06 11:41:01 -05:00
Daniel Micay
1bc589d45f drop HTTP/2 Push support since Chromium dropped it 
This only improves performance for the initial page load by sending
resources that are almost always needed before the client receives the
preload headers and fetches them. It can degrade performance in some
edge cases such as clients with web fonts disabled or if the session
cookie is cleared without the cache being cleared. Clients can cancel
the push transfers once they start receiving them, but it's wasteful.

Safari and Firefox still support this feature but are likely to follow
the lead of Chromium and drop support for it. Few websites are going to
bother with it without Chromium support and usage is already dropping.
 2023-02-10 03:56:20 -05:00
Daniel Micay
28262ab2b7 disable bluetooth in Permissions Policy 2022-10-11 12:09:01 -04:00
Daniel Micay
b03215be9d disable keyboard-map in Permissions Policy 2022-10-11 11:25:19 -04:00
Daniel Micay
7d0ad1a4de disable local-fonts in Permissions Policy 2022-10-11 11:15:10 -04:00
Daniel Micay
3991e51b7e remove legacy Expect-CT header 2022-08-25 23:15:08 -04:00
Rohan Kumar
d6fd0df002 Add "Origin-Agent-Cluster" header 
Hint to browsers that we prefer per-origin process isolation. This
disables certain unsafe features regarding cross-origin same-site
resource sharing.

https://web.dev/origin-agent-cluster/#limitations

Specification link:
https://html.spec.whatwg.org/multipage/origin.html#origin-keyed-agent-clusters

This is just a hint to browsers. Depending on resource availability,
they may or may not actually allocate a process. For this reason, it's
not a robust security feature although it is preferable.

This header needs to be active on all pages from an origin for it to
work.
 2022-08-25 23:15:08 -04:00
Daniel Micay
e7efc21340 drop configuration for clearing legacy push cookie 2022-05-03 00:25:07 -04:00
June
b77821f4a5 add gamepad and speaker-selection to permissions policy 
Signed-off-by: June <zanthed@riseup.net>
 2022-04-18 17:06:28 -04:00
Daniel Micay
1bfe29f2eb rename push cookie for clarity 2021-12-11 10:18:04 -05:00
Daniel Micay
a9a1a3987a add preload/push for main page phone image 2021-12-11 09:50:51 -05:00
Daniel Micay
ebbf002a73 disable legacy X-XSS-Protection feature 2021-12-10 04:30:34 -05:00
Daniel Micay
7010b230c5 use http2_push instead of http2_push_preload 
This avoids needing to conditionally add nopush to each preloaded
resource in the Link header. There's also no support for pushing
JavaScript modules via http2_push_preload since nginx doesn't have
support for rel=modulepreload.
 2021-12-05 02:48:44 -05:00
Daniel Micay
fddfa68695 avoid sending unnecessary push cookie 2021-12-04 07:59:53 -05:00
Daniel Micay
fd59a56501 disable idle-detection in Permissions-Policy 2021-11-24 02:10:25 -05:00
Daniel Micay
2d079162d4 mark Expect-CT as largely obsolete 2021-06-08 12:27:04 -04:00
Daniel Micay
5e83027d04 disable unused Clipboard API features 2021-04-18 00:49:50 -04:00
Daniel Micay
1f027a3fce disable unused hid (WebHID API) feature 2021-04-18 00:40:47 -04:00
Daniel Micay
380e34f435 disable unused serial (Web Serial API) feature 2021-04-18 00:37:16 -04:00
Daniel Micay
3584a627f8 disable interest-cohort feature 2021-04-18 00:34:46 -04:00
Daniel Micay
3cfe562892 enforce strict Trusted Types without policies 2021-03-26 13:44:32 -04:00
Daniel Micay
a0d93f3375 explicitly set SameSite for preload session cookie 2021-03-23 10:46:50 -04:00
Daniel Micay
f298ee4b2b use once per session preload / push 2021-02-15 04:23:56 -05:00
Daniel Micay
ba302d9f86 use a single Link header for preloading 2021-02-15 03:41:54 -05:00
Daniel Micay
0c006f9afd add preload headers for core fonts 2021-02-15 03:25:22 -05:00
Daniel Micay
57f77c96cb drop support for obsolete Feature-Policy header 
This has been replaced by Permissions-Policy.
 2021-01-26 10:58:00 -05:00
Daniel Micay
548b13c09d temporarily disable Trusted Types for web-install 
This can be enabled again when the zip library supports it.
 2021-01-23 20:56:05 -05:00
Daniel Micay
fe063f50fe add foundation for WebUSB-based install page 2021-01-05 05:34:45 -05:00
Daniel Micay
d0f56dc6ab document deprecated/obsolete headers 2020-12-31 21:31:07 -05:00
Daniel Micay
dbee9a704c move TLS configuration into nginx.conf 2020-11-14 04:23:19 -05:00
Daniel Micay
d03e7c28b4 add require-trusted-types-for 'script' to CSP 2020-10-27 04:44:58 -04:00
Daniel Micay
e806721d7c add COOP / COEP headers 2020-10-27 04:20:17 -04:00
Daniel Micay
701ed6f301 add Permissions-Policy header 2020-10-03 20:53:38 -04:00
Daniel Micay
99b4037444 disable unused publickey-credentials-get feature 2020-09-27 19:10:27 -04:00
Daniel Micay
f59b4f2310 remove unused Feature-Policy speaker directive 2020-09-27 19:07:05 -04:00
Daniel Micay
c0f510be06 handle Feature-Policy standard renaming wake-lock 2020-09-27 18:54:00 -04:00
Daniel Micay
6d04912ef7 drop (unfortunately) obsolete HPKP support 2020-09-27 16:12:11 -04:00
Daniel Micay
27b24277e1 drop usage of report-uri for Expect-CT and CSP 
This has proven to be unhelpful and we don't need this kind of reporting
with the simplicity of the site and policies.
 2020-07-22 18:41:59 -04:00
Daniel Micay
2343434d83 stop pinning IdenTrust root that's on the way out 2020-04-19 19:20:43 -04:00
Daniel Micay
eb1566f6a1 switch HPKP backup pins 2020-04-07 14:39:56 -04:00
Daniel Micay
ef179138fa certbot-ocsp-fetcher for reliable OCSP stapling 2020-04-05 04:13:05 -04:00
Daniel Micay
3e4ee0cb28 move nginx https setup into a snippet 2020-04-01 10:30:30 -04:00
Daniel Micay
5a923bd1bb remove obsolete HPKP report-uri URL 2020-04-01 08:47:16 -04:00
Daniel Micay
9c1ebdd0d8 add nginx configuration 2020-04-01 03:12:09 -04:00