Display HSTS headers only when HTTPS is used

2014-02-21 19:45:55 -05:00 · 2014-02-21 19:45:55 -05:00 · 94ce6f1364
parent f51aae9b16
commit 94ce6f1364
1 changed files with 3 additions and 1 deletions
--- a/lib/response.php
+++ b/lib/response.php
@ -125,7 +125,9 @@ class Response

    public function hsts()
    {
-        header('Strict-Transport-Security: max-age=31536000');
+        if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
+            header('Strict-Transport-Security: max-age=31536000');
+        }
    }

    public function xframe($mode = 'DENY', array $urls = array())