Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Paste
P27
ACC HTTPS security config
Active
Public
Actions
Authored by
stwalkerster
on May 12 2016, 5:16 PM.
Edit Paste
Archive Paste
View Raw File
Subscribe
Mute Notifications
Tags
ACC
Referenced Files
F595: ACC HTTPS security config
May 12 2016, 5:16 PM
2016-05-12 17:16:23 (UTC+0)
Subscribers
None
// We define this function:
function
isHttps
()
{
if
(
isset
(
$_SERVER
[
'HTTP_X_FORWARDED_PROTO'
]))
{
if
(
$_SERVER
[
'HTTP_X_FORWARDED_PROTO'
]
===
'https'
)
{
// Client <=> Proxy is encrypted
return
true
;
}
else
{
// Proxy <=> Server link is encrypted, but not Client <=> Proxy.
return
false
;
}
}
if
(
isset
(
$_SERVER
[
'HTTPS'
]))
{
if
(
$_SERVER
[
'HTTPS'
]
===
'off'
)
{
// ISAPI on IIS breaks the spec. :(
return
false
;
}
if
(
$_SERVER
[
'HTTPS'
]
!==
''
)
{
// Set to a non-empty value
return
true
;
}
}
return
false
;
}
// Then, before we display the login form, we run this code:
if
(
isHttps
())
{
// Client can clearly use HTTPS, so let's enforce it for all connections.
header
(
"Strict-Transport-Security: max-age=15768000"
);
}
else
{
// This is the login form, not the request form. We need protection here.
$path
=
'https://'
.
$_SERVER
[
"SERVER_NAME"
]
.
$_SERVER
[
"REQUEST_URI"
];
header
(
"Location: "
.
$path
);
}
// on our newinternal branch, we do much the same in a much more structured, OO-friendly way
Event Timeline
stwalkerster
created this paste.
May 12 2016, 5:16 PM
2016-05-12 17:16:23 (UTC+0)
stwalkerster
created this object with visibility "Public (No Login Required)".
•
import-bot
changed the edit policy from "All Users" to "
Community
(Project)".
Feb 3 2017, 3:03 PM
2017-02-03 15:03:48 (UTC+0)
Log In to Comment