closes #6613

2026-02-02 04:40:01 +01:00 · 2018-06-27 11:24:23 -04:00
parent 625ab1a46b
commit 5cf662e565
3 changed files with 36 additions and 0 deletions
--- a/public/language/en-GB/admin/settings/advanced.json
+++ b/public/language/en-GB/admin/settings/advanced.json
@@ -12,6 +12,10 @@
 	"headers.acac": "Access-Control-Allow-Credentials",
 	"headers.acam": "Access-Control-Allow-Methods",
 	"headers.acah": "Access-Control-Allow-Headers",
+	"hsts": "Strict Transport Security",
+	"hsts.subdomains": "Include subdomains in HSTS header",
+	"hsts.preload": "Allow preloading of HSTS header",
+	"hsts.help": "An HSTS header is already pre-configured for this site. You can elect to include subdomains and preloading flags in your header. If in doubt, you can leave these unchecked. <a href=\"%1\">More information <i class=\"fa fa-external-link\"></i></a>",
 	"traffic-management": "Traffic Management",
 	"traffic.help": "NodeBB deploys equipped with a module that automatically denies requests in high-traffic situations. You can tune these settings here, although the defaults are a good starting point.",
 	"traffic.enable": "Enable Traffic Management",
--- a/src/views/admin/settings/advanced.tpl
+++ b/src/views/admin/settings/advanced.tpl
@@ -63,6 +63,33 @@
 	</div>
 </div>

+<div class="row">
+	<div class="col-sm-2 col-xs-12 settings-header">[[admin/settings/advanced:hsts]]</div>
+	<div class="col-sm-10 col-xs-12">
+		<form>
+			<div class="form-group">
+				<label for="hsts-maxage">[[admin/settings/advanced:hsts.maxAge]]</label>
+				<input class="form-control" id="hsts-maxage" type="number" placeholder="31536000" data-field="hsts-maxage" /><br />
+			</div>
+			<div class="checkbox">
+				<label class="mdl-switch mdl-js-switch mdl-js-ripple-effect">
+					<input class="mdl-switch__input" type="checkbox" data-field="hsts-subdomains" checked>
+					<span class="mdl-switch__label"><strong>[[admin/settings/advanced:hsts.subdomains]]</strong></span>
+				</label>
+			</div>
+			<div class="checkbox">
+				<label class="mdl-switch mdl-js-switch mdl-js-ripple-effect">
+					<input class="mdl-switch__input" type="checkbox" data-field="hsts-preload">
+					<span class="mdl-switch__label"><strong>[[admin/settings/advanced:hsts.preload]]</strong></span>
+				</label>
+			</div>
+			<p class="help-block">
+				[[admin/settings/advanced:hsts.help, https:\/\/hstspreload.org\/]]
+			</p>
+		</form>
+	</div>
+</div>
+
 <div class="row">
 	<div class="col-sm-2 col-xs-12 settings-header">[[admin/settings/advanced:traffic-management]]</div>
 	<div class="col-sm-10 col-xs-12">
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -195,6 +195,11 @@ function setupExpressApp(app, callback) {

 	app.use(helmet());
 	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
+	app.use(helmet.hsts({
+		maxAge: parseInt(meta.config['hsts-maxage'], 10) || 31536000,
+		includeSubdomains: !!parseInt(meta.config['hsts-subdomains'], 10),
+		preload: !!parseInt(meta.config['hsts-preload'], 10),
+	}));
 	app.use(middleware.addHeaders);
 	app.use(middleware.processRender);
 	auth.initialize(app, middleware);