Page MenuHomePhabricator

ACC HTTPS security config
ActivePublic

Authored by stwalkerster on May 12 2016, 5:16 PM.
Tags
Referenced Files
F595: ACC HTTPS security config
May 12 2016, 5:16 PM
Subscribers
None
// We define this function:
function isHttps()
{
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
// Client <=> Proxy is encrypted
return true;
}
else {
// Proxy <=> Server link is encrypted, but not Client <=> Proxy.
return false;
}
}
if (isset($_SERVER['HTTPS'])) {
if ($_SERVER['HTTPS'] === 'off') {
// ISAPI on IIS breaks the spec. :(
return false;
}
if ($_SERVER['HTTPS'] !== '') {
// Set to a non-empty value
return true;
}
}
return false;
}
// Then, before we display the login form, we run this code:
if (isHttps()) {
// Client can clearly use HTTPS, so let's enforce it for all connections.
header("Strict-Transport-Security: max-age=15768000");
}
else {
// This is the login form, not the request form. We need protection here.
$path = 'https://' . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
header("Location: " . $path);
}
// on our newinternal branch, we do much the same in a much more structured, OO-friendly way

Event Timeline

stwalkerster created this object with visibility "Public (No Login Required)".
import-bot changed the edit policy from "All Users" to "Community (Project)".Feb 3 2017, 3:03 PM