NEW can set header "Strict-Transport-Security" in web sites

2022-08-16 16:06:09 +02:00 · 2022-08-16 16:06:09 +02:00 · 5ef941311a
commit 5ef941311a
parent 79974b456f
2 changed files with 21 additions and 1 deletions
--- a/htdocs/admin/system/security.php
+++ b/htdocs/admin/system/security.php
@ -491,6 +491,15 @@ print '<br>';
 print '<strong>WEBSITE_MAIN_SECURITY_FORCECSP</strong> = '.(empty($conf->global->WEBSITE_MAIN_SECURITY_FORCECSP) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->WEBSITE_MAIN_SECURITY_FORCECSP).' &nbsp; <span class="opacitymedium">('.$langs->trans("Example").": \"default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;\")</span><br>";
 print '<br>';

+print '<strong>MAIN_SECURITY_FORCERP</strong> = '.(empty($conf->global->MAIN_SECURITY_FORCERP) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->MAIN_SECURITY_FORCERP).' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or")." \"same-origin\")</span><br>";
+print '<br>';
+
+print '<strong>WEBSITE_MAIN_SECURITY_FORCERP</strong> = '.(empty($conf->global->WEBSITE_MAIN_SECURITY_FORCERP) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->WEBSITE_MAIN_SECURITY_FORCERP).' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or")." \"strict-origin-when-cross-origin\")</span><br>";
+print '<br>';
+
+print '<strong>WEBSITE_MAIN_SECURITY_FORCESTS</strong> = '.(empty($conf->global->WEBSITE_MAIN_SECURITY_FORCESTS) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->WEBSITE_MAIN_SECURITY_FORCESTS).' &nbsp; <span class="opacitymedium">('.$langs->trans("Example").": \"max-age=31536000; includeSubDomaines\")</span><br>";
+print '<br>';
+

 print '<br>';

--- a/htdocs/core/website.inc.php
+++ b/htdocs/core/website.inc.php
@ -129,13 +129,24 @@ if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {

 	// Referrer-Policy
 	if (!defined('WEBSITE_MAIN_SECURITY_FORCERP')) {
-		// The constant WEBSITE_MAIN_SECURITY_FORCECSP should never be defined by page, but the variable used just after may be
+		// The constant WEBSITE_MAIN_SECURITY_FORCERP should never be defined by page, but the variable used just after may be

 		// For public web sites, we use the same default value than "strict-origin-when-cross-origin"
 		$referrerpolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCERP', "strict-origin-when-cross-origin");

 		header("Referrer-Policy: ".$referrerpolicy);
 	}
+
+	// Strict-Transport-Security
+	if (!defined('WEBSITE_MAIN_SECURITY_FORCESTS')) {
+		// The constant WEBSITE_MAIN_SECURITY_FORCESTS should never be defined by page, but the variable used just after may be
+
+		// Example: "max-age=31536000; includeSubDomaines"
+		$sts = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCESTS');
+		if (!empty($sts)) {
+			header("Strict-Transport-Security: ".$sts);
+		}
+	}
 }

 // A lang was forced, so we change weblangs init