external/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-03-09 15:40:18 +00:00
Code Issues Releases Wiki Activity

Set strict-transport-security only when trusted cert is in use.

Browse source
This commit is contained in:
Ylian Saint-Hilaire 2021-06-28 13:58:40 -07:00
parent 4b52e0269d
commit 065bf14e26
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
webserver.js
View file

@ -5459,7 +5459,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
'Content-Security-Policy': "default-src 'none'; font-src 'self'; script-src 'self' 'unsafe-inline'" + extraScriptSrc + "; connect-src 'self'" + geourl + selfurl + "; img-src 'self' blob: data:" + geourl + " data:; style-src 'self' 'unsafe-inline'; frame-src 'self' mcrouter:; media-src 'self'; form-action 'self'"
};
if ((parent.config.settings.allowframing !== true) && (typeof parent.config.settings.allowframing !== 'string')) { headers['X-Frame-Options'] = 'sameorigin'; }
if (parent.config.settings.stricttransportsecurity !== false) { if (typeof parent.config.settings.stricttransportsecurity == 'string') { headers['Strict-Transport-Security'] = parent.config.settings.stricttransportsecurity; } else { headers['Strict-Transport-Security'] = 'max-age=63072000'; } }
if ((parent.config.settings.stricttransportsecurity !== false) && (obj.isTrustedCert(domain))) { if (typeof parent.config.settings.stricttransportsecurity == 'string') { headers['Strict-Transport-Security'] = parent.config.settings.stricttransportsecurity; } else { headers['Strict-Transport-Security'] = 'max-age=63072000'; } }
res.set(headers);
}