From 96310b4366c473c8de08ae58312c091ae4745a16 Mon Sep 17 00:00:00 2001
From: James Valleroy <james.valleroy@gmail.com>
Date: Thu, 28 Nov 2013 00:52:18 +0000
Subject: [PATCH] Use HSTS in apache conf. Fixes #47.

---
 Makefile                  | 1 +
 share/apache2/plinth.conf | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/Makefile b/Makefile
index 36e1da9b6..4ef0ce82a 100644
--- a/Makefile
+++ b/Makefile
@@ -100,6 +100,7 @@ apache-config: apache-install apache-ssl
 apache-ssl:
 	make-ssl-cert generate-default-snakeoil
 	a2enmod ssl
+	a2enmod headers
 	a2enmod rewrite
 	a2enmod proxy
 	a2enmod proxy_http
diff --git a/share/apache2/plinth.conf b/share/apache2/plinth.conf
index e29a543ca..5edd6eea6 100644
--- a/share/apache2/plinth.conf
+++ b/share/apache2/plinth.conf
@@ -21,6 +21,9 @@
     SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
     SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 
+    ## Use HTTP Strict Transport Security to force client to use secure connections only
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+
     ## Shared options.
     ProxyPreserveHost on
     DocumentRoot /usr/share/plinth