Verified Commit 07d443ee authored by Antoine Beaupré's avatar Antoine Beaupré
Browse files

enable HSTS headers when using TLS

HSTS is HTTP Strict Transport Security, it protects websites against
downgrade attacks. Therefore if we redirect HTTP to HTTPS, we should
also use HSTS. To quote the Mozilla security guidelines:

> HTTP Strict Transport Security (HSTS) is an HTTP header that
> notifies user agents to only connect to a given site over HTTPS,
> even if the scheme chosen was HTTP. Browsers that have had HSTS set
> for a given site will transparently upgrade all requests to
> HTTPS. HSTS also tells the browser to treat TLS and
> certificate-related errors more strictly by disabling the ability
> for users to bypass the error page.
parent 1d6d4a8a
......@@ -69,6 +69,13 @@
SSLCertificateChainFile <TMPL_VAR SSL_CHAIN_FILE>
</TMPL_IF>
<TMPL_IF REDIRECT_TO_HTTPS>
<IfModule mod_headers.c>
# enable HSTS, for 6 months
Header always add Strict-Transport-Security "max-age=15552000"
</IfModule>
</TMPL_IF>
<TMPL_IF SUEXEC>
SuexecUserGroup <TMPL_VAR USER> <TMPL_VAR USER>
</TMPL_IF>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment