CodeMirror/appwrite
1
0
Fork 0
mirror of synced 2024-05-20 12:42:39 +12:00
Code Issues Projects Releases Wiki Activity

Fix for #368

Browse source
This commit is contained in:
Eldad Fux 2020-06-01 22:58:58 +03:00
parent 21ff792ad7
commit 1ce76a8ca6
4 changed files with 15 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Dockerfile
View file

@ -51,6 +51,7 @@ ENV TZ=Asia/Tel_Aviv \
_APP_HOME=https://appwrite.io \
_APP_EDITION=community \
_APP_OPTIONS_ABUSE=enabled \
_APP_OPTIONS_FORCE_HTTPS=disabled \
_APP_OPENSSL_KEY_V1=your-secret-key \
_APP_STORAGE_LIMIT=104857600 \
_APP_STORAGE_ANTIVIRUS=enabled \

8
app/app.php
View file

@ -82,6 +82,14 @@ $utopia->init(function () use ($utopia, $request, $response, &$user, $project, $
* As recommended at:
* @see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
*/
if ($request->getServer('_APP_OPTIONS_FORCE_HTTPS', 'disabled') === 'enabled') { // Force HTTPS
if(Config::getParam('protocol') !== 'https') {
return $response->redirect('https://' . Config::getParam('domain').$request->getServer('REQUEST_URI'));
}
$response->addHeader('Strict-Transport-Security', 'max-age='.(60 * 60 * 24 * 126)); // 126 days
}
$response
->addHeader('Server', 'Appwrite')
->addHeader('X-XSS-Protection', '1; mode=block; report=/v1/xss?url='.urlencode($request->getServer('REQUEST_URI')))

1
docker-compose.yml
View file

@ -66,6 +66,7 @@ services:
#- _APP_ENV=production
- _APP_ENV=development
- _APP_OPTIONS_ABUSE=disabled
- _APP_OPTIONS_FORCE_HTTPS=enabled
- _APP_OPENSSL_KEY_V1=your-secret-key
- _APP_DOMAIN=demo.appwrite.io
- _APP_DOMAIN_TARGET=demo.appwrite.io

6
docs/tutorials/environment-variables.md
View file

@ -10,7 +10,11 @@ Set your server running environment. By default, the var is set to 'development'
### _APP_OPTIONS_ABUSE
Allows you to disable abuse checks and API rate limiting. By default, set to 'enabled'. To cancel the abuse checking, set to 'disabled'. It is not recommended to disable this check-in a production environment.
Allows you to disable abuse checks and API rate limiting. By default, set to 'enabled'. To cancel the abuse checking, set to 'disabled'. It is not recommended to disable this feature in a production environment.
### _APP_OPTIONS_FORCE_HTTPS
Allows you to force HTTPS connection to your API. This feature redirects any HTTP call to HTTPS and adds the 'Strict-Transport-Security' header to all HTTP responses. By default, set to 'disabled'. To enable, set to 'enabled'. This feature will work only when your ports are set to default 80 and 443.
### _APP_OPENSSL_KEY_V1