Bug 562475 - "Bugzilla should use strict-transport-security (STS) headers"

[r=mkanat a=mkanat]

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 848f840b2d7f85ef69cd7d5cfc878e9687d74f7b..30f88bd5bcbc9768db82069e240e4744c8f8d122 100644 (file)
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -285,6 +285,12 @@ sub header {
         unshift(@_, '-cookie' => $self->{Bugzilla_cookie_list});
     }
 
+    # Add Strict-Transport-Security (STS) header if this response
+    # is over SSL and ssl_redirect is enabled.
+    if ($self->https && Bugzilla->params->{'ssl_redirect'}) {
+        unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE);
+    }
+
     return $self->SUPER::header(@_) || "";
 }
 

diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm
index 37af78fb00d62e909476d54cf36ded27759afcbd..d11736af1038d1f4c38afd2ece250fcecf932b63 100644 (file)
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -160,6 +160,7 @@ use File::Basename;
     MAX_LOGINCOOKIE_AGE
     MAX_LOGIN_ATTEMPTS
     LOGIN_LOCKOUT_INTERVAL
+    MAX_STS_AGE
 
     SAFE_PROTOCOLS
     LEGAL_CONTENT_TYPES
@@ -421,6 +422,10 @@ use constant MAX_LOGIN_ATTEMPTS => 5;
 # account is locked.
 use constant LOGIN_LOCKOUT_INTERVAL => 30;
 
+# The maximum number of seconds the Strict-Transport-Security header
+# will remain valid. Default is one week.
+use constant MAX_STS_AGE => 604800;
+
 # Protocols which are considered as safe.
 use constant SAFE_PROTOCOLS => ('afs', 'cid', 'ftp', 'gopher', 'http', 'https',
                                 'irc', 'mid', 'news', 'nntp', 'prospero', 'telnet',