Merge pull request #1619 from ether/stricter-transport

Enable HSTS on TLS connections
author: John McLear <john@mclear.co.uk> 2014-06-17 12:58:47 +0100
committer: John McLear <john@mclear.co.uk> 2014-06-17 12:58:47 +0100
commit: c627608ea5c86410c9dd53e8a157b12e4c1fe3b2 (patch)
tree: 9d6001a0215511902f003a91cbe10e8e436c7975
parent: 6dd66c6a16da58177593dedf28732e2ff298987b (diff)
parent: 897f5189b04a468449a007c6a8209af2ee63811f (diff)
download: etherpad-lite-c627608ea5c86410c9dd53e8a157b12e4c1fe3b2.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/node/hooks/express.js b/src/node/hooks/express.js
index f2bb18b8..c6573c80 100644
--- a/src/node/hooks/express.js
+++ b/src/node/hooks/express.js
@@ -71,6 +71,11 @@ exports.restartServer = function () {
   }
 
   app.use(function (req, res, next) {
+    // res.header("X-Frame-Options", "deny"); // breaks embedded pads
+    if(settings.ssl){ // if we use SSL
+      res.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+    }
+
     res.header("Server", serverName);
     next();
   });
author	John McLear <john@mclear.co.uk>	2014-06-17 12:58:47 +0100
committer	John McLear <john@mclear.co.uk>	2014-06-17 12:58:47 +0100
commit	c627608ea5c86410c9dd53e8a157b12e4c1fe3b2 (patch)
tree	9d6001a0215511902f003a91cbe10e8e436c7975
parent	6dd66c6a16da58177593dedf28732e2ff298987b (diff)
parent	897f5189b04a468449a007c6a8209af2ee63811f (diff)
download	etherpad-lite-c627608ea5c86410c9dd53e8a157b12e4c1fe3b2.zip