From d189bda524d88aafa0f49fe873496a7bc65443f3 Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@miniflux.net>
Date: Sun, 17 May 2015 13:40:56 -0400
Subject: [PATCH] Enable Strict-Transport-Security header for HTTPS

---
 common.php             | 2 ++
 controllers/common.php | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/common.php b/common.php
index c1b9099..997fe8c 100644
--- a/common.php
+++ b/common.php
@@ -33,6 +33,8 @@ defined('AUTO_UPDATE_BACKUP_DIRECTORY') or define('AUTO_UPDATE_BACKUP_DIRECTORY'
 
 defined('RULES_DIRECTORY') or define('RULES_DIRECTORY', ROOT_DIRECTORY.DIRECTORY_SEPARATOR.'rules');
 
+defined('ENABLE_HSTS') or define('ENABLE_HSTS', true);
+
 require __DIR__.'/check_setup.php';
 
 PicoDb\Database::bootstrap('db', function() {
diff --git a/controllers/common.php b/controllers/common.php
index da68444..07c3104 100644
--- a/controllers/common.php
+++ b/controllers/common.php
@@ -55,6 +55,10 @@ Router\before(function($action) {
     Response\xframe();
     Response\xss();
     Response\nosniff();
+
+    if (ENABLE_HSTS && Helper\is_secure_connection()) {
+        Response\hsts();
+    }
 });
 
 // Show help