aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorGravatar Frédéric Guillot <fred@miniflux.net>2018-02-03 15:54:02 -0800
committerGravatar Frédéric Guillot <fred@miniflux.net>2018-02-03 15:54:02 -0800
commit61bc012a6284f90001b2339ecfdfb5b96e38be10 (patch)
treee67e860a6f87137bc233181d22781f0a117cfcf1
parent9c4299720900fce52daedfce2314d31e92f7fe1d (diff)
Add support for HTTP Strict Transport Security header
-rw-r--r--config/config.go5
-rw-r--r--config/config_test.go19
-rw-r--r--http/handler/handler.go2
-rw-r--r--http/handler/response.go10
4 files changed, 33 insertions, 3 deletions
diff --git a/config/config.go b/config/config.go
index 05b5d3b..9bd673e 100644
--- a/config/config.go
+++ b/config/config.go
@@ -167,6 +167,11 @@ func (c *Config) OAuth2Provider() string {
return c.get("OAUTH2_PROVIDER", "")
}
+// HasHSTS returns true if HTTP Strict Transport Security is enabled.
+func (c *Config) HasHSTS() bool {
+ return c.get("DISABLE_HSTS", "") == ""
+}
+
// NewConfig returns a new Config.
func NewConfig() *Config {
return &Config{IsHTTPS: os.Getenv("HTTPS") != ""}
diff --git a/config/config_test.go b/config/config_test.go
index fbc7175..2cfec81 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -80,3 +80,22 @@ func TestDefaultBaseURL(t *testing.T) {
t.Fatalf(`Unexpected base path, got "%s"`, cfg.BasePath())
}
}
+
+func TestHSTSOn(t *testing.T) {
+ os.Clearenv()
+ cfg := NewConfig()
+
+ if !cfg.HasHSTS() {
+ t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS())
+ }
+}
+
+func TestHSTSOff(t *testing.T) {
+ os.Clearenv()
+ os.Setenv("DISABLE_HSTS", "1")
+ cfg := NewConfig()
+
+ if cfg.HasHSTS() {
+ t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS())
+ }
+}
diff --git a/http/handler/handler.go b/http/handler/handler.go
index 882e0bd..d698b2e 100644
--- a/http/handler/handler.go
+++ b/http/handler/handler.go
@@ -45,7 +45,7 @@ func (h *Handler) Use(f ControllerFunc) http.Handler {
ctx := NewContext(r, h.store, h.router, h.translator)
request := NewRequest(r)
- response := NewResponse(w, r, h.template)
+ response := NewResponse(h.cfg, w, r, h.template)
language := ctx.UserLanguage()
if language != "" {
diff --git a/http/handler/response.go b/http/handler/response.go
index 34980a3..4e4c44a 100644
--- a/http/handler/response.go
+++ b/http/handler/response.go
@@ -8,11 +8,13 @@ import (
"net/http"
"time"
+ "github.com/miniflux/miniflux/config"
"github.com/miniflux/miniflux/template"
)
// Response handles HTTP responses.
type Response struct {
+ cfg *config.Config
writer http.ResponseWriter
request *http.Request
template *template.Engine
@@ -74,9 +76,13 @@ func (r *Response) commonHeaders() {
// Even if the directive "frame-src" has been deprecated in Firefox,
// we keep it to stay compatible with other browsers.
r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *")
+
+ if r.cfg.IsHTTPS && r.cfg.HasHSTS() {
+ r.writer.Header().Set("Strict-Transport-Security", "max-age=31536000")
+ }
}
// NewResponse returns a new Response.
-func NewResponse(w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
- return &Response{writer: w, request: r, template: template}
+func NewResponse(cfg *config.Config, w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
+ return &Response{cfg: cfg, writer: w, request: r, template: template}
}