diff options
author | Craig Andrews <candrews@integralblue.com> | 2010-10-26 23:46:18 -0400 |
---|---|---|
committer | Craig Andrews <candrews@integralblue.com> | 2010-10-26 23:46:18 -0400 |
commit | 5476ffa9443e728510ae1006896b663989cb01da (patch) | |
tree | 19a6f4e48a716c9d61fff6f95bbcd933a6aa5870 | |
parent | ca489631db840e33757a71a7e4cb56b187c182d3 (diff) |
add StrictTransportSecurity plugin
-rw-r--r-- | plugins/StrictTransportSecurity/README | 21 | ||||
-rw-r--r-- | plugins/StrictTransportSecurity/StrictTransportSecurityPlugin.php | 62 |
2 files changed, 83 insertions, 0 deletions
diff --git a/plugins/StrictTransportSecurity/README b/plugins/StrictTransportSecurity/README new file mode 100644 index 000000000..66f03e95e --- /dev/null +++ b/plugins/StrictTransportSecurity/README @@ -0,0 +1,21 @@ +The Strict Transport Security plugin implements the Strict Transport Security header, improving the security of HTTPS only sites. +See http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html for the specification. + +Installation +============ +add "addPlugin('strictTransportSecurity');" +to the bottom of your config.php + +The plugin will not do anything unless: +$config['site']['ssl'] is set to 'always' +$config['site']['path'] is either not set, empty, or '/' + +Settings +======== +max_age (15552000): sets how long to remember the forced HTTPS (seconds) (15552000 seconds is 180 days) +includeSubDomains (false): if set, then STS will apply to all the sub-domains too. + +Example +======= +addPlugin('strictTransportSecurity'); + diff --git a/plugins/StrictTransportSecurity/StrictTransportSecurityPlugin.php b/plugins/StrictTransportSecurity/StrictTransportSecurityPlugin.php new file mode 100644 index 000000000..004a62792 --- /dev/null +++ b/plugins/StrictTransportSecurity/StrictTransportSecurityPlugin.php @@ -0,0 +1,62 @@ +<?php +/** + * StatusNet, the distributed open-source microblogging tool + * + * Plugin to enable Single Sign On via CAS (Central Authentication Service) + * + * PHP version 5 + * + * LICENCE: This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * @category Plugin + * @package StatusNet + * @author Craig Andrews <candrews@integralblue.com> + * @copyright 2009 Free Software Foundation, Inc http://www.fsf.org + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 + * @link http://status.net/ + */ + +if (!defined('STATUSNET') && !defined('LACONICA')) { + exit(1); +} + +class StrictTransportSecurityPlugin extends Plugin +{ + public $max_age = 15552000; + public $includeSubDomains = false; + + function __construct() + { + parent::__construct(); + } + + function onArgsInitialize($args) + { + $path = common_config('site', 'path'); + if(common_config('site', 'ssl') == 'always' && ($path == '/' || ! $path )) { + header('Strict-Transport-Security: max-age=' . $this->max_age . + ($this->includeSubDomains?'; includeSubDomains':'')); + } + } + + function onPluginVersion(&$versions) + { + $versions[] = array('name' => 'StrictTransportSecurity', + 'version' => STATUSNET_VERSION, + 'author' => 'Craig Andrews', + 'homepage' => 'http://status.net/wiki/Plugin:StrictTransportSecurity', + 'rawdescription' => + _m('The Strict Transport Security plugin implements the Strict Transport Security header, improving the security of HTTPS only sites.')); + return true; + } +} |