Bug 562475 - "Bugzilla should use strict-transport-security (STS) headers"

[r=mkanat a=mkanat]

Bug 562475 - "Bugzilla should use strict-transport-security (STS) headers"
4a85d6d1 · Reed Loden · d386a4e8 · 4a85d6d1 · 4a85d6d1
Commit 4a85d6d1 authored Jun 25, 2010 by Reed Loden
Show whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

CGI.pm Bugzilla/CGI.pm +6 -0

Constants.pm Bugzilla/Constants.pm +5 -0

No files found.
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -285,6 +285,12 @@ sub header {
        unshift(@_, '-cookie' => $self->{Bugzilla_cookie_list});
    }

+    # Add Strict-Transport-Security (STS) header if this response
+    # is over SSL and ssl_redirect is enabled.
+    if ($self->https && Bugzilla->params->{'ssl_redirect'}) {
+        unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE);
+    }
+
    return $self->SUPER::header(@_) || "";
 }


--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -160,6 +160,7 @@ use File::Basename;
    MAX_LOGINCOOKIE_AGE
    MAX_LOGIN_ATTEMPTS
    LOGIN_LOCKOUT_INTERVAL
+    MAX_STS_AGE

    SAFE_PROTOCOLS
    LEGAL_CONTENT_TYPES
@@ -421,6 +422,10 @@ use constant MAX_LOGIN_ATTEMPTS => 5;
 # account is locked.
 use constant LOGIN_LOCKOUT_INTERVAL => 30;

+# The maximum number of seconds the Strict-Transport-Security header
+# will remain valid. Default is one week.
+use constant MAX_STS_AGE => 604800;
+
 # Protocols which are considered as safe.
 use constant SAFE_PROTOCOLS => ('afs', 'cid', 'ftp', 'gopher', 'http', 'https',
                                'irc', 'mid', 'news', 'nntp', 'prospero', 'telnet',