Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F595
ACC HTTPS security config
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Authored By
stwalkerster
May 12 2016, 5:16 PM
2016-05-12 17:16:23 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
ACC HTTPS security config
View Options
// We define this function:
function isHttps()
{
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
// Client <=> Proxy is encrypted
return true;
}
else {
// Proxy <=> Server link is encrypted, but not Client <=> Proxy.
return false;
}
}
if (isset($_SERVER['HTTPS'])) {
if ($_SERVER['HTTPS'] === 'off') {
// ISAPI on IIS breaks the spec. :(
return false;
}
if ($_SERVER['HTTPS'] !== '') {
// Set to a non-empty value
return true;
}
}
return false;
}
// Then, before we display the login form, we run this code:
if (isHttps()) {
// Client can clearly use HTTPS, so let's enforce it for all connections.
header("Strict-Transport-Security: max-age=15768000");
}
else {
// This is the login form, not the request form. We need protection here.
$path = 'https://' . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
header("Location: " . $path);
}
// on our newinternal branch, we do much the same in a much more structured, OO-friendly way
File Metadata
Details
Attached
Mime Type
text/plain; charset=utf-8
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
516
Default Alt Text
ACC HTTPS security config (1 KB)
Attached To
Mode
P27 ACC HTTPS security config
Attached
Detach File
Event Timeline
Log In to Comment