Add support for HTTP Strict Transport Security header

2018-02-03 15:54:02 -08:00 · 2018-02-03 15:54:02 -08:00 · 61bc012a62
parent 9c42997209
commit 61bc012a62
4 changed files with 33 additions and 3 deletions
--- a/config/config.go
+++ b/config/config.go
@ -167,6 +167,11 @@ func (c *Config) OAuth2Provider() string {
 	return c.get("OAUTH2_PROVIDER", "")
 }

+// HasHSTS returns true if HTTP Strict Transport Security is enabled.
+func (c *Config) HasHSTS() bool {
+	return c.get("DISABLE_HSTS", "") == ""
+}
+
 // NewConfig returns a new Config.
 func NewConfig() *Config {
 	return &Config{IsHTTPS: os.Getenv("HTTPS") != ""}
--- a/config/config_test.go
+++ b/config/config_test.go
@ -80,3 +80,22 @@ func TestDefaultBaseURL(t *testing.T) {
 		t.Fatalf(`Unexpected base path, got "%s"`, cfg.BasePath())
 	}
 }
+
+func TestHSTSOn(t *testing.T) {
+	os.Clearenv()
+	cfg := NewConfig()
+
+	if !cfg.HasHSTS() {
+		t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS())
+	}
+}
+
+func TestHSTSOff(t *testing.T) {
+	os.Clearenv()
+	os.Setenv("DISABLE_HSTS", "1")
+	cfg := NewConfig()
+
+	if cfg.HasHSTS() {
+		t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS())
+	}
+}
--- a/http/handler/handler.go
+++ b/http/handler/handler.go
@ -45,7 +45,7 @@ func (h *Handler) Use(f ControllerFunc) http.Handler {

 		ctx := NewContext(r, h.store, h.router, h.translator)
 		request := NewRequest(r)
-		response := NewResponse(w, r, h.template)
+		response := NewResponse(h.cfg, w, r, h.template)
 		language := ctx.UserLanguage()

 		if language != "" {
--- a/http/handler/response.go
+++ b/http/handler/response.go
@ -8,11 +8,13 @@ import (
 	"net/http"
 	"time"

+	"github.com/miniflux/miniflux/config"
 	"github.com/miniflux/miniflux/template"
 )

 // Response handles HTTP responses.
 type Response struct {
+	cfg      *config.Config
 	writer   http.ResponseWriter
 	request  *http.Request
 	template *template.Engine
@ -74,9 +76,13 @@ func (r *Response) commonHeaders() {
 	// Even if the directive "frame-src" has been deprecated in Firefox,
 	// we keep it to stay compatible with other browsers.
 	r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *")
+
+	if r.cfg.IsHTTPS && r.cfg.HasHSTS() {
+		r.writer.Header().Set("Strict-Transport-Security", "max-age=31536000")
+	}
 }

 // NewResponse returns a new Response.
-func NewResponse(w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
-	return &Response{writer: w, request: r, template: template}
+func NewResponse(cfg *config.Config, w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
+	return &Response{cfg: cfg, writer: w, request: r, template: template}
 }