Made HTTPS strict configurable.

2025-03-09 15:40:18 +00:00 · 2019-02-14 15:53:22 -08:00 · 2019-02-14 15:53:22 -08:00 · 92663a3690
commit 92663a3690
parent 76ba7fa799
3 changed files with 6 additions and 4 deletions
--- a/webserver.js
+++ b/webserver.js
@ -2211,8 +2211,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                    // Default headers if TLS is used
                    //headers = { 'Referrer-Policy': 'no-referrer', 'x-frame-options': 'SAMEORIGIN', 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Content-Security-Policy': "default-src https: wss: data: 'self';script-src https: 'unsafe-inline';style-src https: 'unsafe-inline'" };

-                    // Set Strict-Transport-Security if we are using a trusted certificate or TLS offload.
-                    headers = { 'Strict-Transport-Security': 'max-age=31536000;includeSubDomains' };
+                    if (typeof obj.args.httpsstrict == 'number') {
+                        // Set Strict-Transport-Security if we are using a trusted certificate or TLS offload.
+                        headers = { 'Strict-Transport-Security': 'max-age=' + obj.args.httpsstrict + ';includeSubDomains' };
+                    }
                }
                if (parent.config.settings.accesscontrolalloworigin != null) { headers['Access-Control-Allow-Origin'] = parent.config.settings.accesscontrolalloworigin; }
                res.set(headers);