gnu-social/plugins/StrictTransportSecurity/README

The Strict Transport Security plugin implements the Strict Transport Security header, improving the security of HTTPS only sites.
See http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html for the specification.

Installation
============
add "addPlugin('strictTransportSecurity');"
to the bottom of your config.php

The plugin will not do anything unless:
$config['site']['ssl'] is set to something other than 'never'
$config['site']['path'] is either not set, empty, or '/'

Settings
========
max_age (15552000): sets how long to remember the forced HTTPS (seconds) (15552000 seconds is 180 days)
includeSubDomains (false): if set, then STS will apply to all the sub-domains too.

Example
=======
addPlugin('strictTransportSecurity');
add StrictTransportSecurity plugin 2010-10-26 23:46:18 -04:00			`The Strict Transport Security plugin implements the Strict Transport Security header, improving the security of HTTPS only sites.`
			`See http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html for the specification.`

			`Installation`
			`============`
			`add "addPlugin('strictTransportSecurity');"`
			`to the bottom of your config.php`

			`The plugin will not do anything unless:`
Either use or don't use HTTPS The risk of injection attacks using HTTP is too great to allow a site that allows both HTTP and HTTPS... 2016-02-10 00:57:39 +01:00			`$config['site']['ssl'] is set to something other than 'never'`
add StrictTransportSecurity plugin 2010-10-26 23:46:18 -04:00			`$config['site']['path'] is either not set, empty, or '/'`

			`Settings`
			`========`
			`max_age (15552000): sets how long to remember the forced HTTPS (seconds) (15552000 seconds is 180 days)`
			`includeSubDomains (false): if set, then STS will apply to all the sub-domains too.`

			`Example`
			`=======`
			`addPlugin('strictTransportSecurity');`