Managing the various security parameters at the reverse proxy level has proven to be fragile for a multitude of reasons:
- Administrators do not understand the scope of the options, so fail to see the importance of enabling them.
- Administrators largely do not add new security options as we add them to the example configs.
- Some reverse proxies have strange behavior when adding additional headers to the response, such as the nginx header case-sensitivity bug that broke CORS.
Accordingly, we move the security parameters to a plug that is managed in the same way as CORSPlug. This allows for administrators to no longer need to worry about keeping the security parameters up to date as the parameters are now managed by Pleroma itself. This means that security developers can simply push out new security parameters by updating CSPPlug.