Open dakkar opened 7 months ago
https://github.com/misskey-dev/misskey/pull/6731
(prob apply same config to inbox)
that PR adds code to sign outbound GET requests
I'm talking about validating signatures to inbound GET requests
It's the difference between
$ curl -H 'Accept:application/activity+json' https://social.treehouse.systems/@dysfun
{"error":"Request not signed"}
and
$ curl -H 'Accept:application/activity+json' https://s.thenautilus.net/@dakkar
(my whole profile
Summary
some other fedi software allow enforcing that all GET requests with
Accept: application/activity+json
be signed, and will refuse to serve both unsigned requests, and signed requests from blocked / silenced / restricted instances.Purpose
Some writing about this: https://hub.sunny.garden/2023/06/28/what-does-authorized_fetch-actually-do/ and https://docs.joinmastodon.org/admin/config/#authorized_fetch
The main effect is to make it much harder for blocked instances (and random data harversters) to retrieve profiles and notes
(this feature was suggested by mia on Discord)