From abbde42c0eab841fcda49aa160ea3d5b8b97d1fc Mon Sep 17 00:00:00 2001 From: alistair3149 Date: Thu, 26 Mar 2020 15:30:26 -0400 Subject: [PATCH] WIP: Added HSTS documentation --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 69760428..9b3e86f4 100644 --- a/README.md +++ b/README.md @@ -21,12 +21,21 @@ Name | Description | Values | Default `$wgCitizenMaxSearchResults` | Max number of search suggestions | Integer > 0 | `6` ### Security-related +#### Content Security Policy (CSP) Name | Description | Values | Default :--- | :--- | :--- | :--- `$wgCitizenEnableCSP` | Enable or disable [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy), as an alternative to [`$wgCSPHeader`](https://www.mediawiki.org/wiki/Manual:$wgCSPHeader) in Mediawiki 1.32+ | `true` - enable; `false` - disable | `false` `$wgCitizenEnableCSPReportMode` | Enable or disable [CSP report only mode](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only), overrides `$wgCitizenEnableCSP` | `true` - enable; `false` - disable | `false` `$wgCitizenCSPDirective` | The string of yourr CSP directive | See the [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) page | `` +#### HTTP Strict Transport Security (HSTS) +Name | Description | Values | Default +:--- | :--- | :--- | :--- +`$wgCitizenEnableHSTS` | Enable or disable [HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) | `true` - enable; `false` - disable | `false` +`$wgCitizenHSTSMaxAge` | Time in second that the browser should remember that a site is only to be accessed using HTTPS | Integer > 0 | `300` +`$wgCitizenHSTSIncludeSubdomains` | Apply HSTS to all of the site's subdomains | `true` - enable; `false` - disable | `false` +`$wgCitizenHSTSPreload` | Enable or disable [HSTS preload](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security) | `true` - enable; `false` - disable | `false` + ### Webapp manifest Name | Description | Values | Default :--- | :--- | :--- | :---