CodeMirror/appwrite
1
0
Fork 0
mirror of synced 2024-06-28 11:10:46 +12:00
Code Issues Projects Releases Wiki Activity

Merge pull request #369 from appwrite/force-https

Browse source 
Force https
This commit is contained in:
Eldad A. Fux 2020-06-10 21:25:12 +03:00 committed by GitHub
parent 354f7a53d5 897de6095f
commit c8dc68ca26
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 16 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGES.md
View file

@ -3,6 +3,7 @@
## Features
- New route in Locale API to fetch a list of languages
- Added option to force HTTPS connection to the Appwrite server (_APP_OPTIONS_FORCE_HTTPS)
- Added Google Fonts to Appwrite for offline availability
## Bug Fixes

1
Dockerfile
View file

@ -51,6 +51,7 @@ ENV TZ=Asia/Tel_Aviv \
_APP_HOME=https://appwrite.io \
_APP_EDITION=community \
_APP_OPTIONS_ABUSE=enabled \
_APP_OPTIONS_FORCE_HTTPS=disabled \
_APP_OPENSSL_KEY_V1=your-secret-key \
_APP_STORAGE_LIMIT=104857600 \
_APP_STORAGE_ANTIVIRUS=enabled \

8
app/app.php
View file

@ -82,6 +82,14 @@ $utopia->init(function () use ($utopia, $request, $response, &$user, $project, $
* As recommended at:
* @see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
*/
if ($request->getServer('_APP_OPTIONS_FORCE_HTTPS', 'disabled') === 'enabled') { // Force HTTPS
if(Config::getParam('protocol') !== 'https') {
return $response->redirect('https://' . Config::getParam('domain').$request->getServer('REQUEST_URI'));
}
$response->addHeader('Strict-Transport-Security', 'max-age='.(60 * 60 * 24 * 126)); // 126 days
}
$response
->addHeader('Server', 'Appwrite')
->addHeader('X-XSS-Protection', '1; mode=block; report=/v1/xss?url='.urlencode($request->getServer('REQUEST_URI')))

1
docker-compose.yml
View file

@ -66,6 +66,7 @@ services:
#- _APP_ENV=production
- _APP_ENV=development
- _APP_OPTIONS_ABUSE=disabled
- _APP_OPTIONS_FORCE_HTTPS=disabled
- _APP_OPENSSL_KEY_V1=your-secret-key
- _APP_DOMAIN=demo.appwrite.io
- _APP_DOMAIN_TARGET=demo.appwrite.io

6
docs/tutorials/environment-variables.md
View file

@ -10,7 +10,11 @@ Set your server running environment. By default, the var is set to 'development'
### _APP_OPTIONS_ABUSE
Allows you to disable abuse checks and API rate limiting. By default, set to 'enabled'. To cancel the abuse checking, set to 'disabled'. It is not recommended to disable this check-in a production environment.
Allows you to disable abuse checks and API rate limiting. By default, set to 'enabled'. To cancel the abuse checking, set to 'disabled'. It is not recommended to disable this feature in a production environment.
### _APP_OPTIONS_FORCE_HTTPS
Allows you to force HTTPS connection to your API. This feature redirects any HTTP call to HTTPS and adds the 'Strict-Transport-Security' header to all HTTP responses. By default, set to 'disabled'. To enable, set to 'enabled'. This feature will work only when your ports are set to default 80 and 443.
### _APP_OPENSSL_KEY_V1