tdsds.com/gitea
1
1
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2025-07-22 10:18:38 +00:00
Code Releases Activity

Move cors.X_FRAME_OPTIONS to security.X_FRAME_OPTIONS and add false option

Browse Source
This commit is contained in:
silverwind
2024-04-03 01:17:38 +02:00
parent e006451ab1
commit aace6002ee
8 changed files with 19 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/content/administration/config-cheat-sheet.en-us.md
View File

@@ -202,7 +202,6 @@ The following configuration set `Content-Type: application/vnd.android.package-a
- `MAX_AGE`: **10m**: max time to cache response
- `ALLOW_CREDENTIALS`: **false**: allow request with credentials
- `HEADERS`: **Content-Type,User-Agent**: additional headers that are permitted in requests
- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.
## UI (`ui`)
@@ -584,6 +583,7 @@ And the following unique queues:
- `PASSWORD_CHECK_PWN`: **false**: Check [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) to see if a password has been exposed.
- `SUCCESSFUL_TOKENS_CACHE_SIZE`: **20**: Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations. This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security.
- `DISABLE_QUERY_AUTH_TOKEN`: **false**: Reject API tokens sent in URL query string (Accept Header-based API tokens only). This setting will default to `true` in Gitea 1.23 and be deprecated in Gitea 1.24.
- `X_FRAME_OPTIONS`: **SAMEORIGIN**: The value of the X-FRAME-OPTIONS header for HTML and API requests. Set to 'false' to remove the header.
## Camo (`camo`)

2
docs/content/administration/config-cheat-sheet.zh-cn.md
View File

@@ -200,7 +200,6 @@ menu:
- `MAX_AGE`: **10m**: 缓存响应的最大时间
- `ALLOW_CREDENTIALS`: **false**: 允许带有凭据的请求
- `HEADERS`: **Content-Type,User-Agent**: 允许请求携带的头部
- `X_FRAME_OPTIONS`: **SAMEORIGIN**: 详见 `X-Frame-Options`HTTP头部.
## 界面 (`ui`)
@@ -552,6 +551,7 @@ Gitea 创建以下非唯一队列:
- off - 不检查密码复杂性
- `PASSWORD_CHECK_PWN`: **false**:检查密码是否在 [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) 中曝光。
- `SUCCESSFUL_TOKENS_CACHE_SIZE`: **20**缓存成功的令牌哈希。API 令牌在数据库中存储为 pbkdf2 哈希,但这意味着在存在多个 API 操作时可能会有显着的哈希负载。此缓存将在 LRU 缓存中存储成功的哈希令牌,以在性能和安全性之间保持平衡。
- `X_FRAME_OPTIONS`: **SAMEORIGIN**: HTML 和 API 请求的 X-FRAME-OPTIONS 标头的值。 设置为“false”以删除标头。
## Camo (`camo`)