From d48395d0593b437e75e6e93a27f90f9b10c979aa Mon Sep 17 00:00:00 2001 From: jelhan Date: Thu, 2 Jul 2015 12:34:03 +0200 Subject: [PATCH] HSTS header should be set on server side; not by application --- public/api.php | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/public/api.php b/public/api.php index 13f5de3..2dcd2cc 100644 --- a/public/api.php +++ b/public/api.php @@ -41,9 +41,6 @@ switch ($_SERVER['REQUEST_METHOD']) { // forbid browser to load javascript from an external location header("Content-Security-Policy: script-src 'self'"); - - // strict transport security header - header("Strict-Transport-Security: max-age=31536000"); // prevent caching explicitly header("Expires: -1"); @@ -55,9 +52,6 @@ switch ($_SERVER['REQUEST_METHOD']) { // forbid browser to load javascript from an external location header("Content-Security-Policy: script-src 'self'"); - // strict transport security header - header("Strict-Transport-Security: max-age=31536000"); - // set content-type and charset header('Content-Type: application/x-json-encrypted; charset=utf-8'); @@ -100,9 +94,6 @@ switch ($_SERVER['REQUEST_METHOD']) { // set http header header("HTTP/1.0 200 OK"); - // forbid browser to load javascript from an external location - header("Content-Security-Policy: script-src 'self'"); - // strict transport security header header("Strict-Transport-Security: max-age=31536000"); @@ -141,9 +132,6 @@ switch ($_SERVER['REQUEST_METHOD']) { // forbid browser to load javascript from an external location header("Content-Security-Policy: script-src 'self'"); - - // strict transport security header - header("Strict-Transport-Security: max-age=31536000"); // prevent caching explicitly header("Expires: -1");