wsd: add hsts header with config

Change-Id: I16955edd09cf68e995294055ea2cb3f458b3ba38 Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2021-12-21 02:15:29 -05:00 · 2021-12-21 02:15:29 -05:00 · 777858e617
parent c9082aea86
commit 777858e617
3 changed files with 22 additions and 1 deletions
--- a/coolwsd.xml.in
+++ b/coolwsd.xml.in
@ -152,6 +152,10 @@
            <pin></pin>
            </pins>
        </hpkp>
+        <sts desc="Strict-Transport-Security settings, per rfc6797. Subdomains are always included.">
+            <enabled desc="Whether or not Strict-Transport-Security is enabled. Enable only when ready for production. Cannot be disabled without resetting the browsers." type="bool" default="false">false</enabled>
+            <max_age desc="Strict-Transport-Security max-age directive, in seconds. 0 is allowed; please see rfc6797 for details. Defaults to 1 year." type="int" default="31536000">31536000</max_age>
+        </sts>
    </ssl>

    <security desc="Altering these defaults potentially opens you to significant risk">
--- a/wsd/COOLWSD.cpp
+++ b/wsd/COOLWSD.cpp
@ -1106,6 +1106,8 @@ void COOLWSD::innerInitialize(Application& self)
            { "ssl.hpkp.report_uri[@enable]", "false" },
            { "ssl.hpkp[@enable]", "false" },
            { "ssl.hpkp[@report_only]", "false" },
+            { "ssl.sts.enabled", "false" },
+            { "ssl.sts.max_age", "31536000" },
            { "ssl.key_file_path", COOLWSD_CONFIGDIR "/key.pem" },
            { "ssl.termination", "true" },
            { "storage.filesystem[@allow]", "false" },
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@ -490,6 +490,22 @@ void FileServerRequestHandler::handleRequest(const HTTPRequest& request,
        noCache = true;
 #endif
        Poco::Net::HTTPResponse response;
+
+        const auto& config = Application::instance().config();
+
+        // HSTS hardening. Disabled in debug builds.
+#if !ENABLE_DEBUG
+        if (COOLWSD::isSSLEnabled() || COOLWSD::isSSLTermination())
+        {
+            if (config.getBool("ssl.sts.enabled", false))
+            {
+                const auto maxAge = config.getInt("ssl.sts.max_age", 31536000); // Default 1 year.
+                response.add("Strict-Transport-Security",
+                             "max-age=" + std::to_string(maxAge) + "; includeSubDomains");
+            }
+        }
+#endif
+
        Poco::URI requestUri(request.getURI());
        LOG_TRC("Fileserver request: " << requestUri.toString());
        requestUri.normalize(); // avoid .'s and ..'s
@ -507,7 +523,6 @@ void FileServerRequestHandler::handleRequest(const HTTPRequest& request,

        std::string relPath = getRequestPathname(request);
        std::string endPoint = requestSegments[requestSegments.size() - 1];
-        const auto& config = Application::instance().config();

        static std::string etagString = "\"" COOLWSD_VERSION_HASH +
            config.getString("ver_suffix", "") + "\"";