Enable HSTS for TLS connections

Don't use X-Frame-Options: deny for now
author: Marcel Klehr <mklehr@gmx.net> 2014-06-17 13:21:38 +0200
committer: Marcel Klehr <mklehr@gmx.net> 2014-06-17 13:21:38 +0200
commit: 897f5189b04a468449a007c6a8209af2ee63811f (patch)
tree: 7e8e747630e8cedcacbc202bb7db879111435fc1 /src/node
parent: ffe7e65db64a92abb193ae161bec121c51a0298b (diff)
download: etherpad-lite-897f5189b04a468449a007c6a8209af2ee63811f.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/node/hooks/express.js b/src/node/hooks/express.js
index 7e9546c2..61d9ae89 100644
--- a/src/node/hooks/express.js
+++ b/src/node/hooks/express.js
@@ -71,9 +71,9 @@ exports.restartServer = function () {
   }
 
   app.use(function (req, res, next) {
-    res.header("X-Frame-Options", "deny");
+    // res.header("X-Frame-Options", "deny"); // breaks embedded pads
     if(settings.ssl){ // if we use SSL
-      res.header("X-Frame-Options", "max-age=31536000; includeSubDomains");
+      res.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
     }
 
     res.header("Server", serverName);
author	Marcel Klehr <mklehr@gmx.net>	2014-06-17 13:21:38 +0200
committer	Marcel Klehr <mklehr@gmx.net>	2014-06-17 13:21:38 +0200
commit	897f5189b04a468449a007c6a8209af2ee63811f (patch)
tree	7e8e747630e8cedcacbc202bb7db879111435fc1 /src/node
parent	ffe7e65db64a92abb193ae161bec121c51a0298b (diff)
download	etherpad-lite-897f5189b04a468449a007c6a8209af2ee63811f.zip