summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarcel Klehr <mklehr@gmx.net>2014-06-17 13:21:38 +0200
committerMarcel Klehr <mklehr@gmx.net>2014-06-17 13:21:38 +0200
commit897f5189b04a468449a007c6a8209af2ee63811f (patch)
tree7e8e747630e8cedcacbc202bb7db879111435fc1
parentffe7e65db64a92abb193ae161bec121c51a0298b (diff)
downloadetherpad-lite-897f5189b04a468449a007c6a8209af2ee63811f.zip
Enable HSTS for TLS connections
Don't use X-Frame-Options: deny for now
-rw-r--r--src/node/hooks/express.js4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/node/hooks/express.js b/src/node/hooks/express.js
index 7e9546c2..61d9ae89 100644
--- a/src/node/hooks/express.js
+++ b/src/node/hooks/express.js
@@ -71,9 +71,9 @@ exports.restartServer = function () {
}
app.use(function (req, res, next) {
- res.header("X-Frame-Options", "deny");
+ // res.header("X-Frame-Options", "deny"); // breaks embedded pads
if(settings.ssl){ // if we use SSL
- res.header("X-Frame-Options", "max-age=31536000; includeSubDomains");
+ res.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
}
res.header("Server", serverName);