Permalink
Browse files

Do not allow access without HTTPS, unless explicitly disabled (#280)

  • Loading branch information...
sergeychernyshev committed Dec 27, 2017
1 parent 7929ad4 commit b8a3d6aec17daf759c40045fe7dd873e948e1668
Showing with 21 additions and 0 deletions.
  1. +10 −0 classes/StartupAPI.php
  2. +11 −0 default_config.php
View
@@ -136,6 +136,16 @@ public static function getVersion() {
* This function is called after all configuration is loaded to initialize the system.
*/
static function init() {
/**
* Verify if we use HTTPS, unless it explicitly disabled
*/
if (!array_key_exists('HTTPS', $_SERVER) && !UserConfig::$disableSecureConnection) {
header('HTTP/1.1 403 Forbidden');
echo "<h1>403 Forbidden</h1>";
echo "Access over insecure connection is forbidden, use HTTPS transport protocol.\n";
exit;
}
/**
* Legacy configuration options support
*/
View
@@ -255,6 +255,17 @@ class UserConfig {
*/
public static $admins = array();
/**
* By default, do not allow usage of non-secure connections and enforce HTTPS
*
* WARNING, be absolutely sure when you change this and disable HTTPS:
* https://www.owasp.org/index.php/REST_Security_Cheat_Sheet#HTTPS
*
* @var boolean
*/
public static $disableSecureConnection = FALSE;
/* ========================================================================
*
* DB cpnnectivity

0 comments on commit b8a3d6a

Please sign in to comment.