From 61bc012a6284f90001b2339ecfdfb5b96e38be10 Mon Sep 17 00:00:00 2001 From: Frédéric Guillot Date: Sat, 3 Feb 2018 15:54:02 -0800 Subject: Add support for HTTP Strict Transport Security header --- config/config.go | 5 +++++ config/config_test.go | 19 +++++++++++++++++++ http/handler/handler.go | 2 +- http/handler/response.go | 10 ++++++++-- 4 files changed, 33 insertions(+), 3 deletions(-) diff --git a/config/config.go b/config/config.go index 05b5d3b..9bd673e 100644 --- a/config/config.go +++ b/config/config.go @@ -167,6 +167,11 @@ func (c *Config) OAuth2Provider() string { return c.get("OAUTH2_PROVIDER", "") } +// HasHSTS returns true if HTTP Strict Transport Security is enabled. +func (c *Config) HasHSTS() bool { + return c.get("DISABLE_HSTS", "") == "" +} + // NewConfig returns a new Config. func NewConfig() *Config { return &Config{IsHTTPS: os.Getenv("HTTPS") != ""} diff --git a/config/config_test.go b/config/config_test.go index fbc7175..2cfec81 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -80,3 +80,22 @@ func TestDefaultBaseURL(t *testing.T) { t.Fatalf(`Unexpected base path, got "%s"`, cfg.BasePath()) } } + +func TestHSTSOn(t *testing.T) { + os.Clearenv() + cfg := NewConfig() + + if !cfg.HasHSTS() { + t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS()) + } +} + +func TestHSTSOff(t *testing.T) { + os.Clearenv() + os.Setenv("DISABLE_HSTS", "1") + cfg := NewConfig() + + if cfg.HasHSTS() { + t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS()) + } +} diff --git a/http/handler/handler.go b/http/handler/handler.go index 882e0bd..d698b2e 100644 --- a/http/handler/handler.go +++ b/http/handler/handler.go @@ -45,7 +45,7 @@ func (h *Handler) Use(f ControllerFunc) http.Handler { ctx := NewContext(r, h.store, h.router, h.translator) request := NewRequest(r) - response := NewResponse(w, r, h.template) + response := NewResponse(h.cfg, w, r, h.template) language := ctx.UserLanguage() if language != "" { diff --git a/http/handler/response.go b/http/handler/response.go index 34980a3..4e4c44a 100644 --- a/http/handler/response.go +++ b/http/handler/response.go @@ -8,11 +8,13 @@ import ( "net/http" "time" + "github.com/miniflux/miniflux/config" "github.com/miniflux/miniflux/template" ) // Response handles HTTP responses. type Response struct { + cfg *config.Config writer http.ResponseWriter request *http.Request template *template.Engine @@ -74,9 +76,13 @@ func (r *Response) commonHeaders() { // Even if the directive "frame-src" has been deprecated in Firefox, // we keep it to stay compatible with other browsers. r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *") + + if r.cfg.IsHTTPS && r.cfg.HasHSTS() { + r.writer.Header().Set("Strict-Transport-Security", "max-age=31536000") + } } // NewResponse returns a new Response. -func NewResponse(w http.ResponseWriter, r *http.Request, template *template.Engine) *Response { - return &Response{writer: w, request: r, template: template} +func NewResponse(cfg *config.Config, w http.ResponseWriter, r *http.Request, template *template.Engine) *Response { + return &Response{cfg: cfg, writer: w, request: r, template: template} } -- cgit v1.2.3