ec257d940a
The risk of injection attacks using HTTP is too great to allow a site that allows both HTTP and HTTPS...
22 lines
796 B
Plaintext
22 lines
796 B
Plaintext
The Strict Transport Security plugin implements the Strict Transport Security header, improving the security of HTTPS only sites.
|
|
See http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html for the specification.
|
|
|
|
Installation
|
|
============
|
|
add "addPlugin('strictTransportSecurity');"
|
|
to the bottom of your config.php
|
|
|
|
The plugin will not do anything unless:
|
|
$config['site']['ssl'] is set to something other than 'never'
|
|
$config['site']['path'] is either not set, empty, or '/'
|
|
|
|
Settings
|
|
========
|
|
max_age (15552000): sets how long to remember the forced HTTPS (seconds) (15552000 seconds is 180 days)
|
|
includeSubDomains (false): if set, then STS will apply to all the sub-domains too.
|
|
|
|
Example
|
|
=======
|
|
addPlugin('strictTransportSecurity');
|
|
|