From 61bc012a6284f90001b2339ecfdfb5b96e38be10 Mon Sep 17 00:00:00 2001 From: Frédéric Guillot Date: Sat, 3 Feb 2018 15:54:02 -0800 Subject: Add support for HTTP Strict Transport Security header --- http/handler/handler.go | 2 +- http/handler/response.go | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'http') diff --git a/http/handler/handler.go b/http/handler/handler.go index 882e0bd..d698b2e 100644 --- a/http/handler/handler.go +++ b/http/handler/handler.go @@ -45,7 +45,7 @@ func (h *Handler) Use(f ControllerFunc) http.Handler { ctx := NewContext(r, h.store, h.router, h.translator) request := NewRequest(r) - response := NewResponse(w, r, h.template) + response := NewResponse(h.cfg, w, r, h.template) language := ctx.UserLanguage() if language != "" { diff --git a/http/handler/response.go b/http/handler/response.go index 34980a3..4e4c44a 100644 --- a/http/handler/response.go +++ b/http/handler/response.go @@ -8,11 +8,13 @@ import ( "net/http" "time" + "github.com/miniflux/miniflux/config" "github.com/miniflux/miniflux/template" ) // Response handles HTTP responses. type Response struct { + cfg *config.Config writer http.ResponseWriter request *http.Request template *template.Engine @@ -74,9 +76,13 @@ func (r *Response) commonHeaders() { // Even if the directive "frame-src" has been deprecated in Firefox, // we keep it to stay compatible with other browsers. r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *") + + if r.cfg.IsHTTPS && r.cfg.HasHSTS() { + r.writer.Header().Set("Strict-Transport-Security", "max-age=31536000") + } } // NewResponse returns a new Response. -func NewResponse(w http.ResponseWriter, r *http.Request, template *template.Engine) *Response { - return &Response{writer: w, request: r, template: template} +func NewResponse(cfg *config.Config, w http.ResponseWriter, r *http.Request, template *template.Engine) *Response { + return &Response{cfg: cfg, writer: w, request: r, template: template} } -- cgit v1.2.3