From 0a4790ee46e7e1f19e760106e9f895a20ebd8ed2 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Wed, 29 Mar 2017 13:21:02 +0200
Subject: Add param to disable HSTS, set headers to prevent caching

---
 index.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'index.php')

diff --git a/index.php b/index.php
index 5fff7e5e..20049335 100644
--- a/index.php
+++ b/index.php
@@ -114,6 +114,19 @@ if (defined('CONFIG_DEBUG') && CONFIG_DEBUG) {
 	});
 }
 
+// Set HSTS Header if client is using HTTPS
+if(!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
+	if (Request::any('hsts') === 'off') {
+		Header('Strict-Transport-Security: max-age=0', true);
+	} else {
+		Header('Strict-Transport-Security: max-age=15768000', true);
+	}
+}
+Header('Expires: Wed, 29 Mar 2007 09:56:28 GMT');
+Header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
+Header("Cache-Control: post-check=0, pre-check=0", false);
+Header("Pragma: no-cache");
+
 // Now determine which module to run
 Page::init();
 
-- 
cgit v1.2.3-55-g7522