Fix for #368
This commit is contained in:
parent
21ff792ad7
commit
1ce76a8ca6
|
@ -51,6 +51,7 @@ ENV TZ=Asia/Tel_Aviv \
|
|||
_APP_HOME=https://appwrite.io \
|
||||
_APP_EDITION=community \
|
||||
_APP_OPTIONS_ABUSE=enabled \
|
||||
_APP_OPTIONS_FORCE_HTTPS=disabled \
|
||||
_APP_OPENSSL_KEY_V1=your-secret-key \
|
||||
_APP_STORAGE_LIMIT=104857600 \
|
||||
_APP_STORAGE_ANTIVIRUS=enabled \
|
||||
|
|
|
@ -82,6 +82,14 @@ $utopia->init(function () use ($utopia, $request, $response, &$user, $project, $
|
|||
* As recommended at:
|
||||
* @see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
|
||||
*/
|
||||
if ($request->getServer('_APP_OPTIONS_FORCE_HTTPS', 'disabled') === 'enabled') { // Force HTTPS
|
||||
if(Config::getParam('protocol') !== 'https') {
|
||||
return $response->redirect('https://' . Config::getParam('domain').$request->getServer('REQUEST_URI'));
|
||||
}
|
||||
|
||||
$response->addHeader('Strict-Transport-Security', 'max-age='.(60 * 60 * 24 * 126)); // 126 days
|
||||
}
|
||||
|
||||
$response
|
||||
->addHeader('Server', 'Appwrite')
|
||||
->addHeader('X-XSS-Protection', '1; mode=block; report=/v1/xss?url='.urlencode($request->getServer('REQUEST_URI')))
|
||||
|
|
|
@ -66,6 +66,7 @@ services:
|
|||
#- _APP_ENV=production
|
||||
- _APP_ENV=development
|
||||
- _APP_OPTIONS_ABUSE=disabled
|
||||
- _APP_OPTIONS_FORCE_HTTPS=enabled
|
||||
- _APP_OPENSSL_KEY_V1=your-secret-key
|
||||
- _APP_DOMAIN=demo.appwrite.io
|
||||
- _APP_DOMAIN_TARGET=demo.appwrite.io
|
||||
|
|
|
@ -10,7 +10,11 @@ Set your server running environment. By default, the var is set to 'development'
|
|||
|
||||
### _APP_OPTIONS_ABUSE
|
||||
|
||||
Allows you to disable abuse checks and API rate limiting. By default, set to 'enabled'. To cancel the abuse checking, set to 'disabled'. It is not recommended to disable this check-in a production environment.
|
||||
Allows you to disable abuse checks and API rate limiting. By default, set to 'enabled'. To cancel the abuse checking, set to 'disabled'. It is not recommended to disable this feature in a production environment.
|
||||
|
||||
### _APP_OPTIONS_FORCE_HTTPS
|
||||
|
||||
Allows you to force HTTPS connection to your API. This feature redirects any HTTP call to HTTPS and adds the 'Strict-Transport-Security' header to all HTTP responses. By default, set to 'disabled'. To enable, set to 'enabled'. This feature will work only when your ports are set to default 80 and 443.
|
||||
|
||||
### _APP_OPENSSL_KEY_V1
|
||||
|
||||
|
|
Loading…
Reference in a new issue