From ffe7e65db64a92abb193ae161bec121c51a0298b Mon Sep 17 00:00:00 2001 From: John McLear Date: Thu, 14 Mar 2013 19:03:20 -0300 Subject: [PATCH 1/2] allow strict transport if ssl is on and stop x-frame-options, this might break embedded pads, please test --- src/node/hooks/express.js | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/node/hooks/express.js b/src/node/hooks/express.js index 34baca40f..7e9546c29 100644 --- a/src/node/hooks/express.js +++ b/src/node/hooks/express.js @@ -27,7 +27,7 @@ exports.createServer = function () { } console.log("Report bugs at https://github.com/ether/etherpad-lite/issues") - serverName = "Etherpad-Lite " + version + " (http://etherpad.org)"; + serverName = "Etherpad " + version + " (http://etherpad.org)"; exports.restartServer(); @@ -71,6 +71,11 @@ exports.restartServer = function () { } app.use(function (req, res, next) { + res.header("X-Frame-Options", "deny"); + if(settings.ssl){ // if we use SSL + res.header("X-Frame-Options", "max-age=31536000; includeSubDomains"); + } + res.header("Server", serverName); next(); }); From 897f5189b04a468449a007c6a8209af2ee63811f Mon Sep 17 00:00:00 2001 From: Marcel Klehr Date: Tue, 17 Jun 2014 13:21:38 +0200 Subject: [PATCH 2/2] Enable HSTS for TLS connections Don't use X-Frame-Options: deny for now --- src/node/hooks/express.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/node/hooks/express.js b/src/node/hooks/express.js index 7e9546c29..61d9ae892 100644 --- a/src/node/hooks/express.js +++ b/src/node/hooks/express.js @@ -71,9 +71,9 @@ exports.restartServer = function () { } app.use(function (req, res, next) { - res.header("X-Frame-Options", "deny"); + // res.header("X-Frame-Options", "deny"); // breaks embedded pads if(settings.ssl){ // if we use SSL - res.header("X-Frame-Options", "max-age=31536000; includeSubDomains"); + res.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); } res.header("Server", serverName);