FeatureRequest: Config for HTTP Header HSTS and HPKP

contao / core

Contao 3 → see contao/contao for Contao 4

GNU Lesser General Public License v3.0

492 stars 213 forks source link

FeatureRequest: Config for HTTP Header HSTS and HPKP #8085

Closed Georg-Git closed 8 years ago

Georg-Git commented 8 years ago

HTTP Headers for Strict Transport Security (HSTS) and Public Key Pinning (HPKP) is easy to enable via header set in .htaccess file.

But this http headers are not send with php running in cgi mode.

So I added in FrontendTemplate.php:

    ...
    if (!headers_sent())
    {
    header('Public-Key-Pins: " ..YourPINData.."; max-age=604800;"');
    header('Strict-Transport-Security:max-age=15768000; includeSubDomains');

Of course this is a dirty solution.

So I request in contao backend a function to set and edit individuel http headers for each domain.

leofeyer commented 8 years ago

You can easily solve this with the existing hooks (e.g. "outputFrontendTemplate").

Georg-Git commented 8 years ago

Easily? Using the example code for the hook ends in a server error - without any modify:

<?php
// config.php
$GLOBALS['TL_HOOKS']['outputFrontendTemplate'][] = array('MyClass', 'myOutputFrontendTemplate');

// MyClass.php
public function myOutputFrontendTemplate($strBuffer, $strTemplate)
{
    if ($strTemplate == 'fe_page')
    {
        // Modify output
    }
    return $strBuffer;
}

Georg-Git commented 8 years ago

Ok - thanks to Bugbuster: https://community.contao.org/de/showthread.php?56494-Hook-unter-contao-3-4-2

A long journey to the developer tools in the backend. Missing the autoload-creator was my problem.

Now - after some hours bumbling through conto textadventures - now it is easy ;-))