2 files changed, 18 insertions, 0 deletions

diff --git a/api.php b/api.php
index fdccf14a..a9eec1e7 100644
--- a/api.php
+++ b/api.php
@@ -42,8 +42,13 @@ if (Module::isAvailable($module)) {
 if (!file_exists($module)) {
 	Util::traceError('Invalid module, or module without API: ' . $module);
 }
+Header('Expires: Wed, 29 Mar 2007 09:56:28 GMT');
+Header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
+Header("Cache-Control: post-check=0, pre-check=0", false);
+Header("Pragma: no-cache");
 
 Header('Content-Type: text/plain; charset=utf-8');
+
 ob_start('ob_gzhandler');
 // Load module - it will execute pre-processing, or act upon request parameters
 require_once($module);
diff --git a/index.php b/index.php
index 5fff7e5e..20049335 100644
--- a/index.php
+++ b/index.php
@@ -114,6 +114,19 @@ if (defined('CONFIG_DEBUG') && CONFIG_DEBUG) {
 	});
 }
 
+// Set HSTS Header if client is using HTTPS
+if(!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
+	if (Request::any('hsts') === 'off') {
+		Header('Strict-Transport-Security: max-age=0', true);
+	} else {
+		Header('Strict-Transport-Security: max-age=15768000', true);
+	}
+}
+Header('Expires: Wed, 29 Mar 2007 09:56:28 GMT');
+Header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
+Header("Cache-Control: post-check=0, pre-check=0", false);
+Header("Pragma: no-cache");
+
 // Now determine which module to run
 Page::init();