Add configuration option to enable/disable 'Strict-Transport-Security' HTTP header

3 files changed, 10 insertions, 1 deletions

diff --git a/app/Controller/Base.php b/app/Controller/Base.php
index 8f822f3d..e9957bbd 100644
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -116,9 +116,12 @@ abstract class Base
         $this->response->csp(array('style-src' => "'self' 'unsafe-inline'"));
         $this->response->nosniff();
         $this->response->xss();
-        $this->response->hsts();
         $this->response->xframe();
 
+        if (ENABLE_HSTS) {
+            $this->response->hsts();
+        }
+
         // Load translations
         $language = $this->config->get('language', 'en_US');
         if ($language !== 'en_US') Translator::load($language);
diff --git a/app/constants.php b/app/constants.php
index d52ce2be..777e6f0e 100644
--- a/app/constants.php
+++ b/app/constants.php
@@ -68,3 +68,6 @@ defined('MAIL_SMTP_USERNAME') or define('MAIL_SMTP_USERNAME', '');
 defined('MAIL_SMTP_PASSWORD') or define('MAIL_SMTP_PASSWORD', '');
 defined('MAIL_SMTP_ENCRYPTION') or define('MAIL_SMTP_ENCRYPTION', null);
 defined('MAIL_SENDMAIL_COMMAND') or define('MAIL_SENDMAIL_COMMAND', '/usr/sbin/sendmail -bs');
+
+// Enable or disable "Strict-Transport-Security" HTTP header
+defined('ENABLE_HSTS') or define('ENABLE_HSTS', true);
diff --git a/config.default.php b/config.default.php
index 5a618b6d..f27672e6 100644
--- a/config.default.php
+++ b/config.default.php
@@ -109,3 +109,6 @@ define('REVERSE_PROXY_DEFAULT_ADMIN', '');
 
 // Default domain to use for setting the email address
 define('REVERSE_PROXY_DEFAULT_DOMAIN', '');
+
+// Enable or disable "Strict-Transport-Security" HTTP header
+define('ENABLE_HSTS', true);