Add configuration option to enable/disable 'Strict-Transport-Security' HTTP header

app/Controller/Base.php

@@ -116,9 +116,12 @@ abstract class Base
         $this->response->csp(array('style-src' => "'self' 'unsafe-inline'"));
         $this->response->nosniff();
         $this->response->xss();
-        $this->response->hsts();
         $this->response->xframe();
 
+        if (ENABLE_HSTS) {
+            $this->response->hsts();
+        }
+
         // Load translations
         $language = $this->config->get('language', 'en_US');
         if ($language !== 'en_US') Translator::load($language);

app/constants.php

@@ -68,3 +68,6 @@ defined('MAIL_SMTP_USERNAME') or define('MAIL_SMTP_USERNAME', '');
 defined('MAIL_SMTP_PASSWORD') or define('MAIL_SMTP_PASSWORD', '');
 defined('MAIL_SMTP_ENCRYPTION') or define('MAIL_SMTP_ENCRYPTION', null);
 defined('MAIL_SENDMAIL_COMMAND') or define('MAIL_SENDMAIL_COMMAND', '/usr/sbin/sendmail -bs');
+
+// Enable or disable "Strict-Transport-Security" HTTP header
+defined('ENABLE_HSTS') or define('ENABLE_HSTS', true);

config.default.php

@@ -109,3 +109,6 @@ define('REVERSE_PROXY_DEFAULT_ADMIN', '');
 
 // Default domain to use for setting the email address
 define('REVERSE_PROXY_DEFAULT_DOMAIN', '');
+
+// Enable or disable "Strict-Transport-Security" HTTP header
+define('ENABLE_HSTS', true);