From 5ef941311a9ff51c49c34795408b6dbcad5751bf Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 16 Aug 2022 16:06:09 +0200
Subject: [PATCH] NEW can set header "Strict-Transport-Security" in web sites

---
 htdocs/admin/system/security.php |  9 +++++++++
 htdocs/core/website.inc.php      | 13 ++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/htdocs/admin/system/security.php b/htdocs/admin/system/security.php
index 0ff1ddaca59..27936cf6e02 100644
--- a/htdocs/admin/system/security.php
+++ b/htdocs/admin/system/security.php
@@ -491,6 +491,15 @@ print '<br>';
 print '<strong>WEBSITE_MAIN_SECURITY_FORCECSP</strong> = '.(empty($conf->global->WEBSITE_MAIN_SECURITY_FORCECSP) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->WEBSITE_MAIN_SECURITY_FORCECSP).' &nbsp; <span class="opacitymedium">('.$langs->trans("Example").": \"default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;\")</span><br>";
 print '<br>';
 
+print '<strong>MAIN_SECURITY_FORCERP</strong> = '.(empty($conf->global->MAIN_SECURITY_FORCERP) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->MAIN_SECURITY_FORCERP).' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or")." \"same-origin\")</span><br>";
+print '<br>';
+
+print '<strong>WEBSITE_MAIN_SECURITY_FORCERP</strong> = '.(empty($conf->global->WEBSITE_MAIN_SECURITY_FORCERP) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->WEBSITE_MAIN_SECURITY_FORCERP).' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or")." \"strict-origin-when-cross-origin\")</span><br>";
+print '<br>';
+
+print '<strong>WEBSITE_MAIN_SECURITY_FORCESTS</strong> = '.(empty($conf->global->WEBSITE_MAIN_SECURITY_FORCESTS) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->WEBSITE_MAIN_SECURITY_FORCESTS).' &nbsp; <span class="opacitymedium">('.$langs->trans("Example").": \"max-age=31536000; includeSubDomaines\")</span><br>";
+print '<br>';
+
 
 print '<br>';
 
diff --git a/htdocs/core/website.inc.php b/htdocs/core/website.inc.php
index 38698d32940..7f456c14c2e 100644
--- a/htdocs/core/website.inc.php
+++ b/htdocs/core/website.inc.php
@@ -129,13 +129,24 @@ if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {
 
 	// Referrer-Policy
 	if (!defined('WEBSITE_MAIN_SECURITY_FORCERP')) {
-		// The constant WEBSITE_MAIN_SECURITY_FORCECSP should never be defined by page, but the variable used just after may be
+		// The constant WEBSITE_MAIN_SECURITY_FORCERP should never be defined by page, but the variable used just after may be
 
 		// For public web sites, we use the same default value than "strict-origin-when-cross-origin"
 		$referrerpolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCERP', "strict-origin-when-cross-origin");
 
 		header("Referrer-Policy: ".$referrerpolicy);
 	}
+
+	// Strict-Transport-Security
+	if (!defined('WEBSITE_MAIN_SECURITY_FORCESTS')) {
+		// The constant WEBSITE_MAIN_SECURITY_FORCESTS should never be defined by page, but the variable used just after may be
+
+		// Example: "max-age=31536000; includeSubDomaines"
+		$sts = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCESTS');
+		if (!empty($sts)) {
+			header("Strict-Transport-Security: ".$sts);
+		}
+	}
 }
 
 // A lang was forced, so we change weblangs init