“The recommended configuration for reverse proxies has been updated. [...] The change is about setting Content-Security-Policy: default-src 'none'; form-action 'none' and X-Content-Type-Options: nosniff on assets.”
This might be a bit confusing, because of the terminology:
Those two lines ought to to into the location ~ ^/system/ block - NOTlocation ~ ^/assets/
Those changes are in the system block and not the assets block, however they are already included in the tag v4.1.3, so in reality we don't need to do anything besides fetching the code and checking out the tag v4.1.3, correct?
@kikobar no, because the file included in the repo isn’t copied into your nginx configuration during update (or at any other time, really).
You need to copy and paste these two lines into your mastodon nginx config (unless you are proxying your media files, in which case you need to do something else)
Add comment