From 6801ce299a3a0016bae08ee8f64602aeb0274659 Mon Sep 17 00:00:00 2001 From: kim Date: Wed, 17 Sep 2025 14:16:53 +0200 Subject: [chore] remove nollamas middleware for now (after discussions with a security advisor) (#4433) i'll keep this on a separate branch for now while i experiment with other possible alternatives, but for now both our hacky implementation especially, and more popular ones (like anubis) aren't looking too great on the deterrent front: https://github.com/eternal-flame-AD/pow-buster Co-authored-by: tobi Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4433 Co-authored-by: kim Co-committed-by: kim --- internal/web/web.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'internal/web/web.go') diff --git a/internal/web/web.go b/internal/web/web.go index c7b7c9f25..3468ef63b 100644 --- a/internal/web/web.go +++ b/internal/web/web.go @@ -101,16 +101,12 @@ func (m *Module) Route(r *router.Router, mi ...gin.HandlerFunc) { // Handlers that serve profiles and statuses should use // the SignatureCheck middleware, so that requests with - // content-type application/activity+json can be served, - // and (if enabled) the nollamas middleware, to protect - // against scraping by shitty LLM bullshit. + // content-type application/activity+json can be served. profileGroup := r.AttachGroup(profileGroupPath) profileGroup.Use(mi...) profileGroup.Use(middleware.SignatureCheck(m.isURIBlocked), middleware.CacheControl(middleware.CacheControlConfig{ Directives: []string{"no-store"}, })) - nollamas := middleware.NoLLaMas(m.cookiePolicy, m.processor.InstanceGetV1) - profileGroup.Use(nollamas) profileGroup.Handle(http.MethodGet, "", m.profileGETHandler) // use empty path here since it's the base of the group profileGroup.Handle(http.MethodGet, statusPath, m.threadGETHandler) -- cgit v1.2.3