You are here

Home » API reference » Security Kit 8 » SecKitEventSubscriber.php » SecKitEventSubscriber

public function SecKitEventSubscriber::seckitHsts in Security Kit 8

Same name and namespace in other branches
  1. 2.x src/EventSubscriber/SecKitEventSubscriber.php \Drupal\seckit\EventSubscriber\SecKitEventSubscriber::seckitHsts()

Sends HTTP Strict-Transport-Security header (HSTS).

The HSTS header prevents certain eavesdropping and MITM attacks like SSLStrip. It forces the user-agent to send requests in HTTPS-only mode. e.g.: http:// links are treated as https://

Implementation of HSTS is based on the specification draft available at http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02

1 call to SecKitEventSubscriber::seckitHsts()
SecKitEventSubscriber::onKernelResponse in src/EventSubscriber/SecKitEventSubscriber.php
Executes actions on the response event.

File

src/EventSubscriber/SecKitEventSubscriber.php, line 436

Class

SecKitEventSubscriber
Subscribing an event.

Namespace

Drupal\seckit\EventSubscriber

Code

public function seckitHsts() {

  // Prepare HSTS header value.
  $header[] = sprintf("max-age=%d", $this->config
    ->get('seckit_ssl.hsts_max_age'));
  if ($this->config
    ->get('seckit_ssl.hsts_subdomains')) {
    $header[] = 'includeSubDomains';
  }
  if ($this->config
    ->get('seckit_ssl.hsts_preload')) {
    $header[] = 'preload';
  }
  $header = implode('; ', $header);
  $this->response->headers
    ->set('Strict-Transport-Security', $header);
}