From 5476ffa9443e728510ae1006896b663989cb01da Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Tue, 26 Oct 2010 23:46:18 -0400 Subject: [PATCH] add StrictTransportSecurity plugin --- plugins/StrictTransportSecurity/README | 21 +++++++ .../StrictTransportSecurityPlugin.php | 62 +++++++++++++++++++ 2 files changed, 83 insertions(+) create mode 100644 plugins/StrictTransportSecurity/README create mode 100644 plugins/StrictTransportSecurity/StrictTransportSecurityPlugin.php diff --git a/plugins/StrictTransportSecurity/README b/plugins/StrictTransportSecurity/README new file mode 100644 index 0000000000..66f03e95ea --- /dev/null +++ b/plugins/StrictTransportSecurity/README @@ -0,0 +1,21 @@ +The Strict Transport Security plugin implements the Strict Transport Security header, improving the security of HTTPS only sites. +See http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html for the specification. + +Installation +============ +add "addPlugin('strictTransportSecurity');" +to the bottom of your config.php + +The plugin will not do anything unless: +$config['site']['ssl'] is set to 'always' +$config['site']['path'] is either not set, empty, or '/' + +Settings +======== +max_age (15552000): sets how long to remember the forced HTTPS (seconds) (15552000 seconds is 180 days) +includeSubDomains (false): if set, then STS will apply to all the sub-domains too. + +Example +======= +addPlugin('strictTransportSecurity'); + diff --git a/plugins/StrictTransportSecurity/StrictTransportSecurityPlugin.php b/plugins/StrictTransportSecurity/StrictTransportSecurityPlugin.php new file mode 100644 index 0000000000..004a627929 --- /dev/null +++ b/plugins/StrictTransportSecurity/StrictTransportSecurityPlugin.php @@ -0,0 +1,62 @@ +. + * + * @category Plugin + * @package StatusNet + * @author Craig Andrews + * @copyright 2009 Free Software Foundation, Inc http://www.fsf.org + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 + * @link http://status.net/ + */ + +if (!defined('STATUSNET') && !defined('LACONICA')) { + exit(1); +} + +class StrictTransportSecurityPlugin extends Plugin +{ + public $max_age = 15552000; + public $includeSubDomains = false; + + function __construct() + { + parent::__construct(); + } + + function onArgsInitialize($args) + { + $path = common_config('site', 'path'); + if(common_config('site', 'ssl') == 'always' && ($path == '/' || ! $path )) { + header('Strict-Transport-Security: max-age=' . $this->max_age . + ($this->includeSubDomains?'; includeSubDomains':'')); + } + } + + function onPluginVersion(&$versions) + { + $versions[] = array('name' => 'StrictTransportSecurity', + 'version' => STATUSNET_VERSION, + 'author' => 'Craig Andrews', + 'homepage' => 'http://status.net/wiki/Plugin:StrictTransportSecurity', + 'rawdescription' => + _m('The Strict Transport Security plugin implements the Strict Transport Security header, improving the security of HTTPS only sites.')); + return true; + } +} -- 2.39.5