aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-02-04 20:38:22 -0800
committerredmatrix <git@macgirvin.com>2016-02-04 20:38:22 -0800
commit425089524373137e11d3691e7efdce0fb89281c8 (patch)
tree5a59032b3c28f13268075d937d10973288905be9
parentbfeb89075f5e9d3a966c35fd1d0ec56e637a1522 (diff)
downloadvolse-hubzilla-425089524373137e11d3691e7efdce0fb89281c8.tar.gz
volse-hubzilla-425089524373137e11d3691e7efdce0fb89281c8.tar.bz2
volse-hubzilla-425089524373137e11d3691e7efdce0fb89281c8.zip
make strict transport security header optional
-rwxr-xr-xboot.php2
-rw-r--r--doc/hidden_configs.bb2
2 files changed, 3 insertions, 1 deletions
diff --git a/boot.php b/boot.php
index 238935da3..cb595e0ef 100755
--- a/boot.php
+++ b/boot.php
@@ -2164,7 +2164,7 @@ function construct_page(&$a) {
// security headers - see https://securityheaders.io
- if($a->get_scheme() === 'https')
+ if($a->get_scheme() === 'https' && $a->config['system']['transport_security_header'])
header("Strict-Transport-Security: max-age=31536000");
header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'");
diff --git a/doc/hidden_configs.bb b/doc/hidden_configs.bb
index 4418e45ea..af938b0a6 100644
--- a/doc/hidden_configs.bb
+++ b/doc/hidden_configs.bb
@@ -100,6 +100,8 @@ This document assumes you're an administrator.
[b]system.paranoia[/b]
As the pconfig, but on a site-wide basis. Can be overwritten
by member settings.
+ [b]system.transport_security_header[/b]
+ if non-zero and SSL is being used, include a strict-transport-security header on webpages
[b]system.poke_basic[/b]
Reduce the number of poke verbs to exactly 1 ("poke"). Disable other verbs.
[b]system.openssl_conf_file[/b]