You are here

Home » API reference » Security Kit 6 » seckit.module

function _seckit_hsts in Security Kit 6

Same name and namespace in other branches
  1. 7 seckit.module \_seckit_hsts()

Sends Strict-Transport-Security HTTP header

HTTP Strict-Transport-Security (HSTS) header prevents eavesdropping and MITM attacks like SSLStrip, forces user-agent to send requests in HTTPS-only mode and convert HTTP links into secure.

Implementation of HSTS is based on the specification draft available at http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02

1 call to _seckit_hsts()
seckit_init in ./seckit.module
Implements hook_init().

File

./seckit.module, line 515
Allows administrators to improve security of the website.

Code

function _seckit_hsts() {

  // get default/set options
  $options = _seckit_get_options();

  // prepare HSTS header value
  $max_age = $options['seckit_ssl']['hsts_max_age'];
  $subdomains = $options['seckit_ssl']['hsts_subdomains'];
  $header[] = "max-age={$max_age}";
  if ($subdomains) {
    $header[] = 'includeSubDomains';
  }
  $header = implode('; ', $header);

  // send HSTS header
  drupal_set_header("Strict-Transport-Security: {$header}");
}