From c0a4895854c9435ec17f88d06ca7124b7e5fecb6 Mon Sep 17 00:00:00 2001
From: Benjamin Neff <benjamin@coding4coffee.ch>
Date: Tue, 10 Apr 2018 02:29:11 +0200
Subject: [PATCH] Enable Content-Security-Policy header by default

---
 config/defaults.yml         | 2 +-
 config/diaspora.yml.example | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/defaults.yml b/config/defaults.yml
index 221448318..4844cc56e 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -150,7 +150,7 @@ defaults:
       title: 'diaspora* social network'
       description: 'diaspora* is the online social world where you are in control.'
     csp:
-      report_only: true
+      report_only: false
       report_uri:
   services:
     facebook:
diff --git a/config/diaspora.yml.example b/config/diaspora.yml.example
index d52378c29..b34845537 100644
--- a/config/diaspora.yml.example
+++ b/config/diaspora.yml.example
@@ -571,10 +571,10 @@ configuration: ## Section
     ## is blocked by CSP.
     csp:
 
-      ## Report-Only header (default=true)
-      ## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set
-      ## this to false, the "Content-Security-Policy" header is added instead.
-      #report_only: false
+      ## Report-Only header (default=false)
+      ## By default diaspora* adds a "Content-Security-Policy" header. If you set
+      ## this to true, the "Content-Security-Policy-Report-Only" header is added instead.
+      #report_only: true
 
       ## CSP report URI (default=)
       ## You can set an URI here, where the user agent reports violations as JSON document via a POST request.