HSTS header should be set on server side; not by application

2015-07-02 12:34:03 +02:00 · 2015-07-02 12:34:03 +02:00 · d48395d059
commit d48395d059
parent 67cc41973f
1 changed files with 0 additions and 12 deletions
--- a/public/api.php
+++ b/public/api.php
@ -41,9 +41,6 @@ switch ($_SERVER['REQUEST_METHOD']) {
            
            // forbid browser to load javascript from an external location
            header("Content-Security-Policy: script-src 'self'");
-            
-            // strict transport security header
-            header("Strict-Transport-Security: max-age=31536000");

            // prevent caching explicitly
            header("Expires: -1");
@ -55,9 +52,6 @@ switch ($_SERVER['REQUEST_METHOD']) {
            // forbid browser to load javascript from an external location
            header("Content-Security-Policy: script-src 'self'");
            
-            // strict transport security header
-            header("Strict-Transport-Security: max-age=31536000");
-            
            // set content-type and charset
            header('Content-Type: application/x-json-encrypted; charset=utf-8');

@ -100,9 +94,6 @@ switch ($_SERVER['REQUEST_METHOD']) {
            // set http header
            header("HTTP/1.0 200 OK");
            
-            // forbid browser to load javascript from an external location
-            header("Content-Security-Policy: script-src 'self'");
-            
            // strict transport security header
            header("Strict-Transport-Security: max-age=31536000");
            
@ -141,9 +132,6 @@ switch ($_SERVER['REQUEST_METHOD']) {
        
        // forbid browser to load javascript from an external location
        header("Content-Security-Policy: script-src 'self'");
-        
-        // strict transport security header
-        header("Strict-Transport-Security: max-age=31536000");

        // prevent caching explicitly
        header("Expires: -1");