Enable HSTS for TLS connections

Don't use X-Frame-Options: deny for now
This commit is contained in:
Marcel Klehr 2014-06-17 13:21:38 +02:00
parent ffe7e65db6
commit 897f5189b0
1 changed files with 2 additions and 2 deletions

View File

@ -71,9 +71,9 @@ exports.restartServer = function () {
}
app.use(function (req, res, next) {
res.header("X-Frame-Options", "deny");
// res.header("X-Frame-Options", "deny"); // breaks embedded pads
if(settings.ssl){ // if we use SSL
res.header("X-Frame-Options", "max-age=31536000; includeSubDomains");
res.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
}
res.header("Server", serverName);