Merge pull request #198 from humanmade/hsts-on

Enable HSTS by default
humanmade · Mar 31, 2022 · 7efbc0c · 7efbc0c
2 parents 3a8e4fe + ab896bf
commit 7efbc0c
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 7 deletions.
diff --git a/docs/browser.md b/docs/browser.md
@@ -181,18 +181,28 @@ In some cases, you may want to adjust or disable these headers depending on the
 
 The [`Strict-Transport-Security` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) (sometimes called HSTS) is used to enforce HTTPS (TLS/SSL) connections when loading a site and can be used to enhance the site's security.
 
-By default, Altis does not enable HSTS. You can set the value of this header manually by defining the `ABS_HSTS` constant:
+By default, Altis enables HSTS with the value `max-age=31536000; includeSubDomains`. You can configure the header using the `strict-transport-policy` setting:
 
-```php
-define( 'ABS_HSTS', 'max-age=31536000; includeSubDomains' );
+```json
+{
+	"browser": {
+		"strict-transport-policy": "max-age=3600"
+	}
+}
 ```
 
-To disable the automatic behaviour entirely, set the constant to `false`:
+You can also switch the header off completely by setting this to false:
 
-```php
-define( 'ABS_HSTS', false );
+```json
+{
+	"browser": {
+		"strict-transport-policy": false
+	}
+}
 ```
 
+Finally, if you set the value to `null` then Altis _will_ send the header but only if the current request is already using HTTPS.
+
 
 #### X-Content-Type-Options
 

diff --git a/load.php b/load.php
@@ -35,7 +35,7 @@
 			],
 			'frame-options-header' => true,
 			'nosniff-header' => true,
-			'strict-transport-security' => false,
+			'strict-transport-security' => Altis\get_environment_type() === 'local' ? false : 'max-age=31536000; includeSubDomains',
 			'xss-protection-header' => true,
 		],
 	];