diff options
| author | redmatrix <git@macgirvin.com> | 2016-02-04 20:38:22 -0800 |
|---|---|---|
| committer | redmatrix <git@macgirvin.com> | 2016-02-04 20:38:22 -0800 |
| commit | 425089524373137e11d3691e7efdce0fb89281c8 (patch) | |
| tree | 5a59032b3c28f13268075d937d10973288905be9 | |
| parent | bfeb89075f5e9d3a966c35fd1d0ec56e637a1522 (diff) | |
| download | volse-hubzilla-425089524373137e11d3691e7efdce0fb89281c8.tar.gz volse-hubzilla-425089524373137e11d3691e7efdce0fb89281c8.tar.bz2 volse-hubzilla-425089524373137e11d3691e7efdce0fb89281c8.zip | |
make strict transport security header optional
| -rwxr-xr-x | boot.php | 2 | ||||
| -rw-r--r-- | doc/hidden_configs.bb | 2 |
2 files changed, 3 insertions, 1 deletions
@@ -2164,7 +2164,7 @@ function construct_page(&$a) { // security headers - see https://securityheaders.io - if($a->get_scheme() === 'https') + if($a->get_scheme() === 'https' && $a->config['system']['transport_security_header']) header("Strict-Transport-Security: max-age=31536000"); header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"); diff --git a/doc/hidden_configs.bb b/doc/hidden_configs.bb index 4418e45ea..af938b0a6 100644 --- a/doc/hidden_configs.bb +++ b/doc/hidden_configs.bb @@ -100,6 +100,8 @@ This document assumes you're an administrator. [b]system.paranoia[/b] As the pconfig, but on a site-wide basis. Can be overwritten by member settings. + [b]system.transport_security_header[/b] + if non-zero and SSL is being used, include a strict-transport-security header on webpages [b]system.poke_basic[/b] Reduce the number of poke verbs to exactly 1 ("poke"). Disable other verbs. [b]system.openssl_conf_file[/b] |