Bug 1523365 - Ensure all requests have the HSTS header (if configured)

author Simon Bennetts <psiinon@gmail.com>

Mon, 28 Jan 2019 19:16:22 +0000 (19:16 +0000)

committer Dylan William Hardison <dylan@hardison.net>

Mon, 28 Jan 2019 19:16:22 +0000 (14:16 -0500)
author Simon Bennetts <psiinon@gmail.com>
Mon, 28 Jan 2019 19:16:22 +0000 (19:16 +0000)
committer Dylan William Hardison <dylan@hardison.net>
Mon, 28 Jan 2019 19:16:22 +0000 (14:16 -0500)
diff --git a/Bugzilla/App.pm b/Bugzilla/App.pm

index be6d275b2afb45c3b624dae4ae71c4567cf7642b..5a6b2fa70a232dfb014dd4bb8956a8e55f8d4eaf 100644 (file)
--- a/Bugzilla/App.pm
+++ b/Bugzilla/App.pm
@@ -17,7 +17,7 @@ use FileHandle;    # this is for compat back to 5.10
  use Bugzilla          ();
  use Bugzilla::BugMail ();
  use Bugzilla::CGI     ();
-use Bugzilla::Constants qw(bz_locations);
+use Bugzilla::Constants qw(bz_locations MAX_STS_AGE);
  use Bugzilla::Extension             ();
  use Bugzilla::Install::Requirements ();
  use Bugzilla::Logging;
@@ -125,6 +125,19 @@ sub startup {
        }
      );
    }
+  $self->hook(after_dispatch => sub {
+    my ($c) = @_;
+    if ($c->req->is_secure
+      && ! $c->res->headers->strict_transport_security
+      && Bugzilla->params->{'strict_transport_security'} ne 'off')
+    {
+      my $sts_opts = 'max-age=' . MAX_STS_AGE;
+      if (Bugzilla->params->{'strict_transport_security'} eq 'include_subdomains') {
+        $sts_opts .= '; includeSubDomains';
+      }
+      $c->res->headers->strict_transport_security($sts_opts);
+    }
+  });
    Bugzilla::WebService::Server::REST->preload;
  
    $self->setup_routes;
author	Simon Bennetts <psiinon@gmail.com>
	Mon, 28 Jan 2019 19:16:22 +0000 (19:16 +0000)
committer	Dylan William Hardison <dylan@hardison.net>
	Mon, 28 Jan 2019 19:16:22 +0000 (14:16 -0500)