make strict transport security header optional

2016-02-04 20:38:22 -08:00 · 2016-02-04 20:38:22 -08:00 · 4250895243
commit 4250895243
parent bfeb89075f
2 changed files with 3 additions and 1 deletions
--- a/boot.php
+++ b/boot.php
@ -2164,7 +2164,7 @@ function construct_page(&$a) {

 	// security headers - see https://securityheaders.io

-	if($a->get_scheme() === 'https')
+	if($a->get_scheme() === 'https' && $a->config['system']['transport_security_header'])
 		header("Strict-Transport-Security: max-age=31536000");

 	header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'");
--- a/doc/hidden_configs.bb
+++ b/doc/hidden_configs.bb
@ -100,6 +100,8 @@ This document assumes you're an administrator.
    [b]system.paranoia[/b]
        As the pconfig, but on a site-wide basis.  Can be overwritten
        by member settings.
+	[b]system.transport_security_header[/b]
+		if non-zero and SSL is being used, include a strict-transport-security header on webpages
 	[b]system.poke_basic[/b]
 		Reduce the number of poke verbs to exactly 1 ("poke"). Disable other verbs. 
    [b]system.openssl_conf_file[/b]