From 6dd4ff69e986ab7be9665ddf456e235bfffc32ed Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Thu, 14 Feb 2019 15:53:22 -0800
Subject: [PATCH] Made HTTPS strict configurable.

---
 meshagent.js | 2 +-
 package.json | 2 +-
 webserver.js | 6 ++++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/meshagent.js b/meshagent.js
index 117378ee..d9fe1e80 100644
--- a/meshagent.js
+++ b/meshagent.js
@@ -385,7 +385,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
                 obj.db.Set(obj.common.escapeLinksFieldName(mesh));
                 obj.parent.meshes[obj.dbMeshKey] = mesh;
 
-                if (adminUser.links == null) user.links = {};
+                if (adminUser.links == null) adminUser.links = {};
                 adminUser.links[obj.dbMeshKey] = { rights: 0xFFFFFFFF };
                 obj.db.SetUser(adminUser);
                 obj.parent.parent.DispatchEvent(['*', obj.dbMeshKey, adminUser._id], obj, { etype: 'mesh', username: adminUser.name, meshid: obj.dbMeshKey, name: meshname, mtype: 2, desc: '', action: 'createmesh', links: links, msg: 'Mesh created: ' + obj.meshid, domain: domain.id });
diff --git a/package.json b/package.json
index 7befb4f7..4f351b60 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "meshcentral",
-  "version": "0.2.8-g",
+  "version": "0.2.8-i",
   "keywords": [
     "Remote Management",
     "Intel AMT",
diff --git a/webserver.js b/webserver.js
index 05dc4e4f..b29b6aa8 100644
--- a/webserver.js
+++ b/webserver.js
@@ -2211,8 +2211,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                     // Default headers if TLS is used
                     //headers = { 'Referrer-Policy': 'no-referrer', 'x-frame-options': 'SAMEORIGIN', 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Content-Security-Policy': "default-src https: wss: data: 'self';script-src https: 'unsafe-inline';style-src https: 'unsafe-inline'" };
 
-                    // Set Strict-Transport-Security if we are using a trusted certificate or TLS offload.
-                    headers = { 'Strict-Transport-Security': 'max-age=31536000;includeSubDomains' };
+                    if (typeof obj.args.httpsstrict == 'number') {
+                        // Set Strict-Transport-Security if we are using a trusted certificate or TLS offload.
+                        headers = { 'Strict-Transport-Security': 'max-age=' + obj.args.httpsstrict + ';includeSubDomains' };
+                    }
                 }
                 if (parent.config.settings.accesscontrolalloworigin != null) { headers['Access-Control-Allow-Origin'] = parent.config.settings.accesscontrolalloworigin; }
                 res.set(headers);