From: Reed Loden <reed@reedloden.com>
Date: Sat, 26 Jun 2010 01:12:06 +0000 (-0500)
Subject: Bug 562475 - "Bugzilla should use strict-transport-security (STS) headers"
X-Git-Tag: bugzilla-3.7.2~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a85d6d1ead4cf6020148034425b7ea6de0f5899;p=thirdparty%2Fbugzilla.git

Bug 562475 - "Bugzilla should use strict-transport-security (STS) headers"
[r=mkanat a=mkanat]
---

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 848f840b2d..30f88bd5bc 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -285,6 +285,12 @@ sub header {
         unshift(@_, '-cookie' => $self->{Bugzilla_cookie_list});
     }
 
+    # Add Strict-Transport-Security (STS) header if this response
+    # is over SSL and ssl_redirect is enabled.
+    if ($self->https && Bugzilla->params->{'ssl_redirect'}) {
+        unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE);
+    }
+
     return $self->SUPER::header(@_) || "";
 }
 
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm
index 37af78fb00..d11736af10 100644
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -160,6 +160,7 @@ use File::Basename;
     MAX_LOGINCOOKIE_AGE
     MAX_LOGIN_ATTEMPTS
     LOGIN_LOCKOUT_INTERVAL
+    MAX_STS_AGE
 
     SAFE_PROTOCOLS
     LEGAL_CONTENT_TYPES
@@ -421,6 +422,10 @@ use constant MAX_LOGIN_ATTEMPTS => 5;
 # account is locked.
 use constant LOGIN_LOCKOUT_INTERVAL => 30;
 
+# The maximum number of seconds the Strict-Transport-Security header
+# will remain valid. Default is one week.
+use constant MAX_STS_AGE => 604800;
+
 # Protocols which are considered as safe.
 use constant SAFE_PROTOCOLS => ('afs', 'cid', 'ftp', 'gopher', 'http', 'https',
                                 'irc', 'mid', 'news', 'nntp', 'prospero', 'telnet',