diff --git a/_example/etc/api-apache2.4.conf b/_example/etc/api-apache2.4.conf
index 53abd3403..24c24df98 100644
--- a/_example/etc/api-apache2.4.conf
+++ b/_example/etc/api-apache2.4.conf
@@ -92,7 +92,4 @@
Options +FollowSymLinks
DirectoryIndex index.html start.html
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/api-apache2.X.conf b/_example/etc/api-apache2.X.conf
index ffcc7425c..ebfe91720 100644
--- a/_example/etc/api-apache2.X.conf
+++ b/_example/etc/api-apache2.X.conf
@@ -105,7 +105,4 @@
Options +FollowSymLinks
DirectoryIndex index.html start.html
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/api-apache2.conf b/_example/etc/api-apache2.conf
index f362c8778..a4bc83def 100644
--- a/_example/etc/api-apache2.conf
+++ b/_example/etc/api-apache2.conf
@@ -94,7 +94,4 @@
Options +FollowSymLinks
DirectoryIndex index.html start.html
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/api-nginx.conf b/_example/etc/api-nginx.conf
index 3f9668c1d..42a7978e8 100644
--- a/_example/etc/api-nginx.conf
+++ b/_example/etc/api-nginx.conf
@@ -40,9 +40,6 @@ server {
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
#uwsgi_param SCRIPT_NAME $sc;
- # Uncomment this if you use https only
- #add_header Strict-Transport-Security "max-age=15768000";
-
}
# By default, access to this VHost is denied
diff --git a/_example/etc/handler-apache2.4.conf b/_example/etc/handler-apache2.4.conf
index e54bf757b..6f04d7482 100644
--- a/_example/etc/handler-apache2.4.conf
+++ b/_example/etc/handler-apache2.4.conf
@@ -44,9 +44,6 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503
# # an upper PerlHeaderParserHandler directive
# #PerlHeaderParserHandler Apache2::Const::DECLINED
#
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/handler-apache2.X.conf b/_example/etc/handler-apache2.X.conf
index 035b4d467..4971480f4 100644
--- a/_example/etc/handler-apache2.X.conf
+++ b/_example/etc/handler-apache2.X.conf
@@ -61,9 +61,6 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503
# # an upper PerlHeaderParserHandler directive
# #PerlHeaderParserHandler Apache2::Const::DECLINED
#
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/handler-apache2.conf b/_example/etc/handler-apache2.conf
index 94a27d79d..dabd739fb 100644
--- a/_example/etc/handler-apache2.conf
+++ b/_example/etc/handler-apache2.conf
@@ -51,9 +51,6 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503
# # an upper PerlHeaderParserHandler directive
# #PerlHeaderParserHandler Apache2::Const::DECLINED
#
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/handler-nginx.conf b/_example/etc/handler-nginx.conf
index 5e8a4e985..3e13378c1 100644
--- a/_example/etc/handler-nginx.conf
+++ b/_example/etc/handler-nginx.conf
@@ -50,9 +50,6 @@ server {
# Client requests
location / {
deny all;
-
- # Uncomment this if you use https only
- #add_header Strict-Transport-Security "max-age=15768000";
}
# Uncomment this if status is enabled
diff --git a/_example/etc/manager-apache2.4.conf b/_example/etc/manager-apache2.4.conf
index 62841e33d..f4be27be4 100644
--- a/_example/etc/manager-apache2.4.conf
+++ b/_example/etc/manager-apache2.4.conf
@@ -95,7 +95,4 @@
Options +FollowSymLinks
DirectoryIndex index.html start.html
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/manager-apache2.X.conf b/_example/etc/manager-apache2.X.conf
index 614c311f7..0116a4fbe 100644
--- a/_example/etc/manager-apache2.X.conf
+++ b/_example/etc/manager-apache2.X.conf
@@ -114,7 +114,4 @@
Options +FollowSymLinks
DirectoryIndex index.html start.html
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/manager-apache2.conf b/_example/etc/manager-apache2.conf
index 540557cbc..46ca446f1 100644
--- a/_example/etc/manager-apache2.conf
+++ b/_example/etc/manager-apache2.conf
@@ -98,7 +98,4 @@
Options +FollowSymLinks
DirectoryIndex index.html start.html
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/manager-nginx.conf b/_example/etc/manager-nginx.conf
index 717df28eb..8ed46e3ad 100644
--- a/_example/etc/manager-nginx.conf
+++ b/_example/etc/manager-nginx.conf
@@ -35,9 +35,6 @@ server {
#uwsgi_param LLTYPE psgi;
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
#uwsgi_param SCRIPT_NAME $sc;
-
- # Uncomment this if you use https only
- #add_header Strict-Transport-Security "max-age=15768000";
}
location / {
diff --git a/_example/etc/portal-apache2.4.conf b/_example/etc/portal-apache2.4.conf
index 4c01b47a0..e7d34ffc5 100644
--- a/_example/etc/portal-apache2.4.conf
+++ b/_example/etc/portal-apache2.4.conf
@@ -113,8 +113,5 @@
Header append Vary User-Agent env=!dont-vary
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/portal-apache2.X.conf b/_example/etc/portal-apache2.X.conf
index 7c58699a6..4fb038977 100644
--- a/_example/etc/portal-apache2.X.conf
+++ b/_example/etc/portal-apache2.X.conf
@@ -144,8 +144,5 @@
Header append Vary User-Agent env=!dont-vary
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/portal-apache2.conf b/_example/etc/portal-apache2.conf
index 406ba919f..1d9ce2a8e 100644
--- a/_example/etc/portal-apache2.conf
+++ b/_example/etc/portal-apache2.conf
@@ -110,8 +110,5 @@
Header append Vary User-Agent env=!dont-vary
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/portal-nginx.conf b/_example/etc/portal-nginx.conf
index 948d29e3d..d81553abc 100644
--- a/_example/etc/portal-nginx.conf
+++ b/_example/etc/portal-nginx.conf
@@ -88,9 +88,6 @@ server {
index index.psgi;
location / {
try_files $uri $uri/ =404;
-
- # Uncomment this if you use https only
- #add_header Strict-Transport-Security "max-age=15768000";
}
location /static/ {
diff --git a/_example/etc/test-apache2.4.conf b/_example/etc/test-apache2.4.conf
index d69f131d7..f36146da6 100644
--- a/_example/etc/test-apache2.4.conf
+++ b/_example/etc/test-apache2.4.conf
@@ -41,7 +41,4 @@ PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
DirectoryIndex index.pl index.html
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/test-apache2.X.conf b/_example/etc/test-apache2.X.conf
index 84ddac8e4..2a73782b4 100644
--- a/_example/etc/test-apache2.X.conf
+++ b/_example/etc/test-apache2.X.conf
@@ -41,7 +41,4 @@ PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
DirectoryIndex index.pl index.html
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/test-apache2.conf b/_example/etc/test-apache2.conf
index 168e8a242..f69b01d48 100644
--- a/_example/etc/test-apache2.conf
+++ b/_example/etc/test-apache2.conf
@@ -36,7 +36,4 @@ PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
DirectoryIndex index.pl index.html
-
- # Uncomment this if site if you use SSL only
- #Header set Strict-Transport-Security "max-age=15768000"
diff --git a/_example/etc/test-nginx.conf b/_example/etc/test-nginx.conf
index 077e65263..d2c719924 100644
--- a/_example/etc/test-nginx.conf
+++ b/_example/etc/test-nginx.conf
@@ -88,9 +88,6 @@ server {
# OR in the corresponding block
#fastcgi_param HTTP_COOKIE $lmcookie;
- # Uncomment this if you use https only
- #add_header Strict-Transport-Security "max-age=15768000";
-
# Set REMOTE_USER and REMOTE_CUSTOM (for FastCGI apps only)
#fastcgi_param REMOTE_USER $lmremote_user;
#fastcgi_param REMOTE_CUSTOM $lmremote_custom;
diff --git a/doc/sources/admin/authssl.rst b/doc/sources/admin/authssl.rst
index 20b952a4f..045e160eb 100644
--- a/doc/sources/admin/authssl.rst
+++ b/doc/sources/admin/authssl.rst
@@ -181,7 +181,6 @@ Nginx SSL Virtual Host example with uWSGI
#index index.psgi;
location / {
try_files $uri $uri/ =404;
- add_header Strict-Transport-Security "max-age=15768000";
}
}
diff --git a/doc/sources/admin/security.rst b/doc/sources/admin/security.rst
index c80ec6ef9..8bb6c5898 100644
--- a/doc/sources/admin/security.rst
+++ b/doc/sources/admin/security.rst
@@ -332,6 +332,7 @@ Go in Manager, ``General parameters`` » ``Advanced parameters`` »
- **Form timeout**: Form token timeout (default to 120 seconds)
- **Use global storage**: Local cache is used by default for one time
tokens. To use global storage, set it to 'On'
+- **Strict-Transport-Security Max-age**: set STS header max-age if you use SSL only (default=15768000)
- **CrowdSec Bouncer**: set to 'On' to enable :doc:`CrowdSec Bouncer plugin`
- **Brute-Force Attack protection**: set to 'On' to enable :doc:`Brute-force protection plugin`
- **LWP::UserAgent and SSL options**: insert here options to pass to
diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
index 893745bb2..b28ad7ef4 100644
--- a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
@@ -1134,6 +1134,7 @@
"stayConnectedTimeout":"Expiration time",
"storePassword":"تخزين كلمة مرور المستخدم في بيانات الجلسة",
"string":"String",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
"subtitle":"Subtitle",
"successLoginNumber":"Max successful logins count",
"successfullySaved":"تم الحفظ بنجاح",
diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/en.json b/lemonldap-ng-manager/site/htdocs/static/languages/en.json
index 4c7531316..8f1df8377 100644
--- a/lemonldap-ng-manager/site/htdocs/static/languages/en.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/en.json
@@ -1133,6 +1133,7 @@
"stayConnectedCookieName":"Cookie name",
"stayConnectedTimeout":"Expiration time",
"storePassword":"Store user password in session",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
"string":"String",
"subtitle":"Subtitle",
"successLoginNumber":"Max successful logins count",
diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/es.json b/lemonldap-ng-manager/site/htdocs/static/languages/es.json
index 7466d7610..41b3b4cae 100644
--- a/lemonldap-ng-manager/site/htdocs/static/languages/es.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/es.json
@@ -1134,6 +1134,7 @@
"stayConnectedTimeout":"Expiration time",
"storePassword":"Almacenar contraseña de usuario en la sesión",
"string":"String",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
"subtitle":"Subtítulo",
"successLoginNumber":"Max successful logins count",
"successfullySaved":"Salvado con éxito",
diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
index 45741b2b6..7e261dbea 100644
--- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
@@ -2,7 +2,7 @@
"2faSessions":"Explorateur sessions 2ndFA",
"2ndFA":"Seconds Facteurs",
"ADPwdExpireWarning":"Avertissement avant expiration du mot de passe",
-"ADPwdMaxAge":"Âge maximal du mot de passe",
+"ADPwdMaxAge":"Age maximal du mot de passe",
"AuthLDAPFilter":"Filtre d'authentification",
"Configuration":"Configuration",
"CrowdSecPlugin":"CrowdSec Bouncer",
@@ -1134,6 +1134,7 @@
"stayConnectedTimeout":"Durée de validité",
"storePassword":"Stocke le mot de passe de l'utilisateur en session",
"string":"Chaîne",
+"strictTransportSecurityMax_Age":"Age maximum Strict-Transport-Security",
"subtitle":"Sous-titre",
"successLoginNumber":"Nombre de connexions mémorisées",
"successfullySaved":"Sauvegarde effectuée",
diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/he.json b/lemonldap-ng-manager/site/htdocs/static/languages/he.json
index 04b45b540..02f4f084c 100644
--- a/lemonldap-ng-manager/site/htdocs/static/languages/he.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/he.json
@@ -1134,6 +1134,7 @@
"stayConnectedTimeout":"Expiration time",
"storePassword":"Store user password in session",
"string":"String",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
"subtitle":"Subtitle",
"successLoginNumber":"Max successful logins count",
"successfullySaved":"נשמר בהצלחה",
diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/it.json b/lemonldap-ng-manager/site/htdocs/static/languages/it.json
index e26b8d1af..7dcc55ad8 100644
--- a/lemonldap-ng-manager/site/htdocs/static/languages/it.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/it.json
@@ -1134,6 +1134,7 @@
"stayConnectedTimeout":"Expiration time",
"storePassword":"Memorizzare la password dell'utente nei dati di sessione",
"string":"String",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
"subtitle":"Subtitle",
"successLoginNumber":"Max successful logins count",
"successfullySaved":"Salvato con successo",
diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/pl.json b/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
index b361b68c8..8b81df615 100644
--- a/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
@@ -1134,6 +1134,7 @@
"stayConnectedTimeout":"Data ważności",
"storePassword":"Przechowuj hasło użytkownika w sesji",
"string":"Łańcuch znaków",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
"subtitle":"Podtytuł",
"successLoginNumber":"Maksymalna liczba udanych logowań",
"successfullySaved":"Pomyślnie zapisano",
diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
index 51c53e06a..4daa64772 100644
--- a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
@@ -1134,6 +1134,7 @@
"stayConnectedTimeout":"Son kullanma süresi",
"storePassword":"Kullanıcı parolasını oturumda sakla",
"string":"Dize",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
"subtitle":"Altyazı",
"successLoginNumber":"Maksimum başarılı giriş sayısı",
"successfullySaved":"Başarıyla kaydedildi",
diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
index 76d9147c3..ac1f0b443 100644
--- a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
@@ -1134,6 +1134,7 @@
"stayConnectedTimeout":"Expiration time",
"storePassword":"Lưu trữ mật khẩu người dùng trong các dữ liệu phiên",
"string":"String",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
"subtitle":"Subtitle",
"successLoginNumber":"Max successful logins count",
"successfullySaved":"Lưu thành công",
diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
index 4a129720e..28842bdfa 100644
--- a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
@@ -1134,6 +1134,7 @@
"stayConnectedTimeout":"過期名稱",
"storePassword":"在工作階段中儲存使用者密碼",
"string":"字串",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
"subtitle":"副標題",
"successLoginNumber":"Max successful logins count",
"successfullySaved":"成功儲存",
diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json b/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json
index 00d2bfb6c..2aad4ce8e 100644
--- a/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json
@@ -1134,6 +1134,7 @@
"stayConnectedTimeout":"過期名稱",
"storePassword":"在工作階段中儲存使用者密碼",
"string":"字串",
+"strictTransportSecurityMax_Age":"Strict-Transport-Security max age",
"subtitle":"副標題",
"successLoginNumber":"Max successful logins count",
"successfullySaved":"成功儲存",
diff --git a/lemonldap-ng-portal/t/01-AuthDemo.t b/lemonldap-ng-portal/t/01-AuthDemo.t
index b7eaf763d..e8ef8cf6d 100644
--- a/lemonldap-ng-portal/t/01-AuthDemo.t
+++ b/lemonldap-ng-portal/t/01-AuthDemo.t
@@ -11,9 +11,11 @@ my $res;
my $client = LLNG::Manager::Test->new( {
ini => {
- logLevel => 'error',
- useSafeJail => 1,
- portalFavicon => 'common/llng.ico'
+ logLevel => 'error',
+ portal => 'https://auth.example.com/',
+ useSafeJail => 1,
+ strictTransportSecurityMax_Age => '1977',
+ portalFavicon => 'common/llng.ico'
}
}
);
@@ -33,6 +35,9 @@ ok(
),
'Get Menu'
);
+ok( getHeader( $res, 'Strict-Transport-Security' ) =~ /^max-age=1977$/,
+ 'Strict-Transport-Security is set' )
+ or explain( $res->[1], 'Content-Type => application/xml' );
ok( $res->[2]->[0] =~ //, 'Rejected with PE_BADURL' )
or print STDERR Dumper( $res->[2]->[0] );
ok( $res->[2]->[0] =~ m%%, ' Language icons found' )
@@ -40,7 +45,7 @@ ok( $res->[2]->[0] =~ m%%, ' Language icons found' )
ok( $res->[2]->[0] =~ m%link href="/static/common/llng.ico%,
' Custom favicon found' )
or print STDERR Dumper( $res->[2]->[0] );
-count(4);
+count(5);
# Test "first access" with a wildcard-protected url
ok(