From: Simon Bennetts <psiinon@gmail.com>
Date: Mon, 28 Jan 2019 19:16:22 +0000 (+0000)
Subject: Bug 1523365 - Ensure all requests have the HSTS header (if configured)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=56706fa682dad9e1ef24cbbe2ce24a5be9c2ccde;p=thirdparty%2Fbugzilla.git

Bug 1523365 - Ensure all requests have the HSTS header (if configured)
---

diff --git a/Bugzilla/App.pm b/Bugzilla/App.pm
index be6d275b2..5a6b2fa70 100644
--- a/Bugzilla/App.pm
+++ b/Bugzilla/App.pm
@@ -17,7 +17,7 @@ use FileHandle;    # this is for compat back to 5.10
 use Bugzilla          ();
 use Bugzilla::BugMail ();
 use Bugzilla::CGI     ();
-use Bugzilla::Constants qw(bz_locations);
+use Bugzilla::Constants qw(bz_locations MAX_STS_AGE);
 use Bugzilla::Extension             ();
 use Bugzilla::Install::Requirements ();
 use Bugzilla::Logging;
@@ -125,6 +125,19 @@ sub startup {
       }
     );
   }
+  $self->hook(after_dispatch => sub {
+    my ($c) = @_;
+    if ($c->req->is_secure
+      && ! $c->res->headers->strict_transport_security
+      && Bugzilla->params->{'strict_transport_security'} ne 'off')
+    {
+      my $sts_opts = 'max-age=' . MAX_STS_AGE;
+      if (Bugzilla->params->{'strict_transport_security'} eq 'include_subdomains') {
+        $sts_opts .= '; includeSubDomains';
+      }
+      $c->res->headers->strict_transport_security($sts_opts);
+    }
+  });
   Bugzilla::WebService::Server::REST->preload;
 
   $self->setup_routes;