Added HSTS support

2024-09-24 02:38:44 +00:00 · 2019-12-23 22:17:28 -05:00 · 2019-12-23 22:17:28 -05:00 · 067386964e
parent ebfa056aee
commit 067386964e
2 changed files with 40 additions and 6 deletions
--- a/includes/SkinCitizen.php
+++ b/includes/SkinCitizen.php
@ -28,7 +28,7 @@ class SkinCitizen extends SkinTemplate {
 			$out->addLink(
 				[
 					'rel' => 'preconnect',
-					'href' => $this->getConfig()->get( 'CitizenPreconnectOrigin' )
+					'href' => $this->getConfig()->get( 'CitizenPreconnectURL' )
 				]
 			);
 		}
@ -47,6 +47,22 @@ class SkinCitizen extends SkinTemplate {
 				]
 			);
 		}
+		// HSTS
+		if ( $this->getConfig()->get( 'CitizenEnableHSTS' ) ) {
+
+			$hstsmaxage = $this->getConfig()->get( 'CitizenHSTSMaxAge' );
+			$hstsincludesubdomains = $this->getConfig()->get( 'CitizenHSTSIncludeSubdomains' );
+
+			// HSTS max age
+			if ( is_int( $hstsmaxage ) ) {
+				$hstsmaxage = max($hstsmaxage, 0);
+			} else {
+				// Default to 5 mins if input is invalid
+				$hstsmaxage = 300;
+			}
+
+			$out->getRequest()->response()->header( 'Strict-Transport-Security: max-age=' . $hstsmaxage . ( $hstsincludesubdomains ? '; includeSubDomains' : '' ) );
+		}
 		// Deny X-Frame-Options
 		if ( $this->getConfig()->get( 'CitizenEnableDenyXFrameOptions' ) ) {
 			$out->getRequest()->response()->header( 'X-Frame-Options: deny' );
--- a/skin.json
+++ b/skin.json
@ -25,16 +25,28 @@
 			"descriptionmsg": "citizen-config-enablepreconnect",
 			"public": true
 		},
-		"PreconnectOrigin": {
+		"PreconnectURL": {
 			"value": "",
 			"description": "The URL for preconnect to required origin",
 			"descriptionmsg": "citizen-config-preconnectorigin",
 			"public": true
 		},
-		"EnableManifest": {
-			"value": true,
-			"description": "Enable or disable web app manifest",
-			"descriptionmsg": "citizen-config-enablemanifest",
+		"EnableHSTS": {
+			"value": false,
+			"description": "Enable or disable HTTP Strict Transport Security",
+			"descriptionmsg": "citizen-config-enablehsts",
+			"public": true
+		},
+		"HSTSMaxAge": {
+			"value": 300,
+			"description": "Time in second that the browser should remember that a site is only to be accessed using HTTPS",
+			"descriptionmsg": "citizen-config-hstsmaxage",
+			"public": true
+		},
+		"CitizenHSTSMaxAge": {
+			"value": false,
+			"description": "Enable or disable HTTP Strict Transport Security",
+			"descriptionmsg": "citizen-config-enablehsts",
 			"public": true
 		},
 		"EnableDenyXFrameOptions": {
@ -49,6 +61,12 @@
 			"descriptionmsg": "citizen-config-enablestrictreferrerpolicy",
 			"public": true
 		},
+		"EnableManifest": {
+			"value": true,
+			"description": "Enable or disable web app manifest",
+			"descriptionmsg": "citizen-config-enablemanifest",
+			"public": true
+		},
 		"ManifestThemeColor": {
 			"value": "#11151d",
 			"description": "The theme color defined in the web app manifest",