From: Max Kanat-Alexander <mkanat@bugzilla.org>
Date: Tue, 28 Sep 2010 03:18:46 +0000 (-0700)
Subject: Bug 594990: Make the Strict-Transport-Security HTTP header only be sent
X-Git-Tag: bugzilla-4.0rc1~55
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=abc22b79d5444b30de4f18186216426289b4385c;p=thirdparty%2Fbugzilla.git

Bug 594990: Make the Strict-Transport-Security HTTP header only be sent
if a particular parameter is enabled.
r=glob, a=mkanat
---

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index e2d238f5a2..447c0749b9 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -287,8 +287,8 @@ sub header {
     }
 
     # Add Strict-Transport-Security (STS) header if this response
-    # is over SSL and ssl_redirect is enabled.
-    if ($self->https && Bugzilla->params->{'ssl_redirect'}) {
+    # is over SSL and the strict_transport_security param is turned on.
+    if ($self->https && Bugzilla->params->{'strict_transport_security'}) {
         unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE);
     }
 
diff --git a/Bugzilla/Config/Advanced.pm b/Bugzilla/Config/Advanced.pm
index 1acf76f38b..e15a429630 100644
--- a/Bugzilla/Config/Advanced.pm
+++ b/Bugzilla/Config/Advanced.pm
@@ -52,6 +52,12 @@ use constant get_param_list => (
    type => 't',
    default => ''
   },
+
+  {
+   name => 'strict_transport_security',
+   type => 'b',
+   default => 0,
+  },
 );
 
 1;
diff --git a/template/en/default/admin/params/advanced.html.tmpl b/template/en/default/admin/params/advanced.html.tmpl
index 4caa2f1dc5..2414a46fb4 100644
--- a/template/en/default/admin/params/advanced.html.tmpl
+++ b/template/en/default/admin/params/advanced.html.tmpl
@@ -24,6 +24,19 @@
    desc = "Settings for advanced configurations."
 %]
 
+[% sts_desc = BLOCK %]
+  Enables the sending of the 
+  <a href="http://en.wikipedia.org/wiki/Strict_Transport_Security">Strict-Transport-Security</a>
+  header along with HTTP responses on SSL connections. This adds greater
+  security to your SSL connections by forcing the browser to always
+  access your domain over SSL and never accept an invalid certificate. 
+  However, it should only be used if you have the <code>ssl_redirect</code>
+  parameter turned on, Bugzilla is the only thing running
+  on its domain (i.e., your <code>urlbase</code> is something like
+  <code>http://bugzilla.example.com/</code>), and you never plan to disable
+  the <code>ssl_redirect</code> parameter.
+[% END %]
+
 [% param_descs = {
   cookiedomain => 
     "If your website is at 'www.foo.com', setting this to"
@@ -47,4 +60,6 @@
     _ " necessary to enter its URL if the web server cannot access the"
     _ " HTTP_PROXY environment variable. If you have to authenticate,"
     _ " use the <code>http://user:pass@proxy_url/</code> syntax.",
+
+  strict_transport_security => sts_desc,
 } %]