pleroma/docs
@r3g_5z@plem.sapphic.site 0e4c201f8d HTTP header improvements (#294)
- Drop Expect-CT

Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

- Raise HSTS to 2 years and explicitly preload

The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt.
For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain.

- Drop X-Download-Options

This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this.

- Set base-uri to 'none'

This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag.

I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed.

I have not compiled my Elixr changes, but I don't see why they'd break.

Co-authored-by: r3g_5z <june@terezi.dev>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/294
Co-authored-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
Co-committed-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
2022-11-20 21:20:06 +00:00
..
docs HTTP header improvements (#294) 2022-11-20 21:20:06 +00:00
theme/partials Documentation updates for stable release (#73) 2022-07-15 12:27:16 +00:00
Makefile add manual deploy for docs 2022-11-10 10:55:57 +00:00
mkdocs.yml doc: update repo link from docs to akkoma 2022-07-19 12:36:09 +03:00
Pipfile Documentation updates for stable release (#73) 2022-07-15 12:27:16 +00:00
Pipfile.lock Update documentation builder 2022-11-10 03:38:10 +00:00
README.md Documentation updates for stable release (#73) 2022-07-15 12:27:16 +00:00
requirements.txt fix requirements 2022-11-11 16:07:07 +00:00

Building the docs

You don't need to build and test the docs as long as you make sure the syntax is correct. But in case you do want to build the docs, feel free to do so.

You'll need to install mkdocs for which you can check the mkdocs installation guide. Generally it's best to install it using pip. You'll also need to install the correct dependencies.

Example using a Debian based distro

1. Install pipenv and dependencies

pip install pipenv
pipenv sync

2. (Optional) Activate the virtual environment

Since dependencies are installed in a virtual environment, you can't use them directly. To use them you should either prefix the command with pipenv run, or activate the virtual environment for current shell by executing pipenv shell once.

3. Build the docs using the script

[pipenv run] make all

4. Serve the files

A folder site containing the static html pages will have been created. You can serve them from a server by pointing your server software (nginx, apache...) to this location. During development, you can run locally with

[pipenv run] mkdocs serve

This handles setting up an http server and rebuilding when files change. You can then access the docs on http://127.0.0.1:8000