diff options
| -rwxr-xr-x | boot.php | 2 | ||||
| -rw-r--r-- | doc/hidden_configs.bb | 2 |
2 files changed, 3 insertions, 1 deletions
@@ -2164,7 +2164,7 @@ function construct_page(&$a) { // security headers - see https://securityheaders.io - if($a->get_scheme() === 'https') + if($a->get_scheme() === 'https' && $a->config['system']['transport_security_header']) header("Strict-Transport-Security: max-age=31536000"); header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"); diff --git a/doc/hidden_configs.bb b/doc/hidden_configs.bb index 4418e45ea..af938b0a6 100644 --- a/doc/hidden_configs.bb +++ b/doc/hidden_configs.bb @@ -100,6 +100,8 @@ This document assumes you're an administrator. [b]system.paranoia[/b] As the pconfig, but on a site-wide basis. Can be overwritten by member settings. + [b]system.transport_security_header[/b] + if non-zero and SSL is being used, include a strict-transport-security header on webpages [b]system.poke_basic[/b] Reduce the number of poke verbs to exactly 1 ("poke"). Disable other verbs. [b]system.openssl_conf_file[/b] |