diff options
| author |  Frédéric Guillot <fred@miniflux.net> | 2018-02-03 15:54:02 -0800 |
|---|---|---|
| committer | Frédéric Guillot <fred@miniflux.net> | 2018-02-03 15:54:02 -0800 |
| commit | 61bc012a6284f90001b2339ecfdfb5b96e38be10 (patch) | |
| tree | e67e860a6f87137bc233181d22781f0a117cfcf1 /http | |
| parent | 9c4299720900fce52daedfce2314d31e92f7fe1d (diff) | |
Add support for HTTP Strict Transport Security header
Diffstat (limited to 'http')
| -rw-r--r-- | http/handler/handler.go | 2 | ||||
| -rw-r--r-- | http/handler/response.go | 10 |
2 files changed, 9 insertions, 3 deletions
diff --git a/http/handler/handler.go b/http/handler/handler.go index 882e0bd..d698b2e 100644 --- a/http/handler/handler.go +++ b/http/handler/handler.go @@ -45,7 +45,7 @@ func (h *Handler) Use(f ControllerFunc) http.Handler { ctx := NewContext(r, h.store, h.router, h.translator) request := NewRequest(r) - response := NewResponse(w, r, h.template) + response := NewResponse(h.cfg, w, r, h.template) language := ctx.UserLanguage() if language != "" { diff --git a/http/handler/response.go b/http/handler/response.go index 34980a3..4e4c44a 100644 --- a/http/handler/response.go +++ b/http/handler/response.go @@ -8,11 +8,13 @@ import ( "net/http" "time" + "github.com/miniflux/miniflux/config" "github.com/miniflux/miniflux/template" ) // Response handles HTTP responses. type Response struct { + cfg *config.Config writer http.ResponseWriter request *http.Request template *template.Engine @@ -74,9 +76,13 @@ func (r *Response) commonHeaders() { // Even if the directive "frame-src" has been deprecated in Firefox, // we keep it to stay compatible with other browsers. r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *") + + if r.cfg.IsHTTPS && r.cfg.HasHSTS() { + r.writer.Header().Set("Strict-Transport-Security", "max-age=31536000") + } } // NewResponse returns a new Response. -func NewResponse(w http.ResponseWriter, r *http.Request, template *template.Engine) *Response { - return &Response{writer: w, request: r, template: template} +func NewResponse(cfg *config.Config, w http.ResponseWriter, r *http.Request, template *template.Engine) *Response { + return &Response{cfg: cfg, writer: w, request: r, template: template} } |