Merge branch 'seeddms-5.1.x' into seeddms-6.0.x

.htaccess

@@ -1,5 +1,10 @@
 Options -Indexes
 
+<IfModule mod_headers.c>
+Header set Strict-Transport-Security: "max-age=15768000; includeSubDomains; preload"
+Header set X-Content-Type-Options: "nosniff"
+</IfModule>
+
 RewriteEngine On
 RewriteRule ^favicon.ico$ styles/bootstrap/favicon.ico [L]
 

CHANGELOG

@@ -210,6 +210,7 @@
 - fix security hole which allowed under certain conditions to access
   arbitrary files
 - use mandatory reviewers/approvers when adding files by webdav
+- set some http security headers in .htaccess
 
 --------------------------------------------------------------------------------
                      Changes in version 5.1.21

doc/README.Install.md

@@ -80,6 +80,19 @@ http://your-domain/ or http://your-domain/seeddms51x.
 SECURITY CONSIDERATIONS
 =======================
 
+First of all you should always access your SeedDMS installation through
+a secured https connection, unless you know precisly what are you doing.
+SeedDMS ships an .htaccess file which already has some common security
+http headers set. In order for them to apply you need to activate the
+headers module. On Debian this can be done with
+
+```
+a2enmod headers
+```
+
+Protect directories with data or configuration
+---------------------------------------------
+
 A crucial point when setting up SeedDMS is the propper placement of the
 data directory. Do not place it below your document root as
 configured in your web server! If you do so, there is good change that

views/bootstrap/class.Bootstrap.php

@@ -73,7 +73,7 @@ class SeedDMS_Bootstrap_Style extends SeedDMS_View_Common {
 			}
 		}
 		header('X-Content-Type-Options: nosniff');
-		header('Strict-Transport-Security: max-age=15768000');
+		header('Strict-Transport-Security: max-age=15768000; includeSubDomains; preload');
 		if($httpheader) {
 			foreach($httpheader as $name=>$value) {
 				header($name . ": " . $value);