Page MenuHomePhabricator

ACC HTTPS security config

Authored By
stwalkerster
May 12 2016, 5:16 PM
Size
1 KB
Referenced Files
None
Subscribers
None

ACC HTTPS security config

// We define this function:
function isHttps()
{
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
// Client <=> Proxy is encrypted
return true;
}
else {
// Proxy <=> Server link is encrypted, but not Client <=> Proxy.
return false;
}
}
if (isset($_SERVER['HTTPS'])) {
if ($_SERVER['HTTPS'] === 'off') {
// ISAPI on IIS breaks the spec. :(
return false;
}
if ($_SERVER['HTTPS'] !== '') {
// Set to a non-empty value
return true;
}
}
return false;
}
// Then, before we display the login form, we run this code:
if (isHttps()) {
// Client can clearly use HTTPS, so let's enforce it for all connections.
header("Strict-Transport-Security: max-age=15768000");
}
else {
// This is the login form, not the request form. We need protection here.
$path = 'https://' . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
header("Location: " . $path);
}
// on our newinternal branch, we do much the same in a much more structured, OO-friendly way

File Metadata

Mime Type
text/plain; charset=utf-8
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
516
Default Alt Text
ACC HTTPS security config (1 KB)

Event Timeline