harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

make strict transport security header optional

Browse Source
This commit is contained in:
redmatrix 2016-02-04 20:38:22 -08:00
parent bfeb89075f
commit 4250895243
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
boot.php
View File

@ -2164,7 +2164,7 @@ function construct_page(&$a) {
// security headers - see https://securityheaders.io // security headers - see https://securityheaders.io
if($a->get_scheme() === 'https') if($a->get_scheme() === 'https' && $a->config['system']['transport_security_header'])
header("Strict-Transport-Security: max-age=31536000"); header("Strict-Transport-Security: max-age=31536000");
header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"); header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'");

2
doc/hidden_configs.bb
View File

@ -100,6 +100,8 @@ This document assumes you're an administrator.
[b]system.paranoia[/b] [b]system.paranoia[/b]
As the pconfig, but on a site-wide basis. Can be overwritten As the pconfig, but on a site-wide basis. Can be overwritten
by member settings. by member settings.
[b]system.transport_security_header[/b]
if non-zero and SSL is being used, include a strict-transport-security header on webpages
[b]system.poke_basic[/b] [b]system.poke_basic[/b]
Reduce the number of poke verbs to exactly 1 ("poke"). Disable other verbs. Reduce the number of poke verbs to exactly 1 ("poke"). Disable other verbs.
[b]system.openssl_conf_file[/b] [b]system.openssl_conf_file[/b]