diff options
author | Marcel Klehr <mklehr@gmx.net> | 2014-06-17 13:21:38 +0200 |
---|---|---|
committer | Marcel Klehr <mklehr@gmx.net> | 2014-06-17 13:21:38 +0200 |
commit | 897f5189b04a468449a007c6a8209af2ee63811f (patch) | |
tree | 7e8e747630e8cedcacbc202bb7db879111435fc1 | |
parent | ffe7e65db64a92abb193ae161bec121c51a0298b (diff) | |
download | etherpad-lite-897f5189b04a468449a007c6a8209af2ee63811f.zip |
Enable HSTS for TLS connections
Don't use X-Frame-Options: deny for now
-rw-r--r-- | src/node/hooks/express.js | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/node/hooks/express.js b/src/node/hooks/express.js index 7e9546c2..61d9ae89 100644 --- a/src/node/hooks/express.js +++ b/src/node/hooks/express.js @@ -71,9 +71,9 @@ exports.restartServer = function () { } app.use(function (req, res, next) { - res.header("X-Frame-Options", "deny"); + // res.header("X-Frame-Options", "deny"); // breaks embedded pads if(settings.ssl){ // if we use SSL - res.header("X-Frame-Options", "max-age=31536000; includeSubDomains"); + res.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); } res.header("Server", serverName); |