Add support for HTTP Strict Transport Security header
This commit is contained in:
Frédéric Guillot
parent
9c42997209
commit
61bc012a62
4 changed files with 33 additions and 3 deletions
|
|
@ -167,6 +167,11 @@ func (c *Config) OAuth2Provider() string {
|
|||
return c.get("OAUTH2_PROVIDER", "")
|
||||
}
|
||||
|
||||
// HasHSTS returns true if HTTP Strict Transport Security is enabled.
|
||||
func (c *Config) HasHSTS() bool {
|
||||
return c.get("DISABLE_HSTS", "") == ""
|
||||
}
|
||||
|
||||
// NewConfig returns a new Config.
|
||||
func NewConfig() *Config {
|
||||
return &Config{IsHTTPS: os.Getenv("HTTPS") != ""}
|
||||
|
|
|
|||
|
|
@ -80,3 +80,22 @@ func TestDefaultBaseURL(t *testing.T) {
|
|||
t.Fatalf(`Unexpected base path, got "%s"`, cfg.BasePath())
|
||||
}
|
||||
}
|
||||
|
||||
func TestHSTSOn(t *testing.T) {
|
||||
os.Clearenv()
|
||||
cfg := NewConfig()
|
||||
|
||||
if !cfg.HasHSTS() {
|
||||
t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS())
|
||||
}
|
||||
}
|
||||
|
||||
func TestHSTSOff(t *testing.T) {
|
||||
os.Clearenv()
|
||||
os.Setenv("DISABLE_HSTS", "1")
|
||||
cfg := NewConfig()
|
||||
|
||||
if cfg.HasHSTS() {
|
||||
t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS())
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ func (h *Handler) Use(f ControllerFunc) http.Handler {
|
|||
|
||||
ctx := NewContext(r, h.store, h.router, h.translator)
|
||||
request := NewRequest(r)
|
||||
response := NewResponse(w, r, h.template)
|
||||
response := NewResponse(h.cfg, w, r, h.template)
|
||||
language := ctx.UserLanguage()
|
||||
|
||||
if language != "" {
|
||||
|
|
|
|||
|
|
@ -8,11 +8,13 @@ import (
|
|||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/miniflux/miniflux/config"
|
||||
"github.com/miniflux/miniflux/template"
|
||||
)
|
||||
|
||||
// Response handles HTTP responses.
|
||||
type Response struct {
|
||||
cfg *config.Config
|
||||
writer http.ResponseWriter
|
||||
request *http.Request
|
||||
template *template.Engine
|
||||
|
|
@ -74,9 +76,13 @@ func (r *Response) commonHeaders() {
|
|||
// Even if the directive "frame-src" has been deprecated in Firefox,
|
||||
// we keep it to stay compatible with other browsers.
|
||||
r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *")
|
||||
|
||||
if r.cfg.IsHTTPS && r.cfg.HasHSTS() {
|
||||
r.writer.Header().Set("Strict-Transport-Security", "max-age=31536000")
|
||||
}
|
||||
}
|
||||
|
||||
// NewResponse returns a new Response.
|
||||
func NewResponse(w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
|
||||
return &Response{writer: w, request: r, template: template}
|
||||
func NewResponse(cfg *config.Config, w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
|
||||
return &Response{cfg: cfg, writer: w, request: r, template: template}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue