wsd: add hsts header with config
Change-Id: I16955edd09cf68e995294055ea2cb3f458b3ba38 Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>pull/3961/head
parent
c9082aea86
commit
777858e617
|
@ -152,6 +152,10 @@
|
|||
<pin></pin>
|
||||
</pins>
|
||||
</hpkp>
|
||||
<sts desc="Strict-Transport-Security settings, per rfc6797. Subdomains are always included.">
|
||||
<enabled desc="Whether or not Strict-Transport-Security is enabled. Enable only when ready for production. Cannot be disabled without resetting the browsers." type="bool" default="false">false</enabled>
|
||||
<max_age desc="Strict-Transport-Security max-age directive, in seconds. 0 is allowed; please see rfc6797 for details. Defaults to 1 year." type="int" default="31536000">31536000</max_age>
|
||||
</sts>
|
||||
</ssl>
|
||||
|
||||
<security desc="Altering these defaults potentially opens you to significant risk">
|
||||
|
|
|
@ -1106,6 +1106,8 @@ void COOLWSD::innerInitialize(Application& self)
|
|||
{ "ssl.hpkp.report_uri[@enable]", "false" },
|
||||
{ "ssl.hpkp[@enable]", "false" },
|
||||
{ "ssl.hpkp[@report_only]", "false" },
|
||||
{ "ssl.sts.enabled", "false" },
|
||||
{ "ssl.sts.max_age", "31536000" },
|
||||
{ "ssl.key_file_path", COOLWSD_CONFIGDIR "/key.pem" },
|
||||
{ "ssl.termination", "true" },
|
||||
{ "storage.filesystem[@allow]", "false" },
|
||||
|
|
|
@ -490,6 +490,22 @@ void FileServerRequestHandler::handleRequest(const HTTPRequest& request,
|
|||
noCache = true;
|
||||
#endif
|
||||
Poco::Net::HTTPResponse response;
|
||||
|
||||
const auto& config = Application::instance().config();
|
||||
|
||||
// HSTS hardening. Disabled in debug builds.
|
||||
#if !ENABLE_DEBUG
|
||||
if (COOLWSD::isSSLEnabled() || COOLWSD::isSSLTermination())
|
||||
{
|
||||
if (config.getBool("ssl.sts.enabled", false))
|
||||
{
|
||||
const auto maxAge = config.getInt("ssl.sts.max_age", 31536000); // Default 1 year.
|
||||
response.add("Strict-Transport-Security",
|
||||
"max-age=" + std::to_string(maxAge) + "; includeSubDomains");
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
Poco::URI requestUri(request.getURI());
|
||||
LOG_TRC("Fileserver request: " << requestUri.toString());
|
||||
requestUri.normalize(); // avoid .'s and ..'s
|
||||
|
@ -507,7 +523,6 @@ void FileServerRequestHandler::handleRequest(const HTTPRequest& request,
|
|||
|
||||
std::string relPath = getRequestPathname(request);
|
||||
std::string endPoint = requestSegments[requestSegments.size() - 1];
|
||||
const auto& config = Application::instance().config();
|
||||
|
||||
static std::string etagString = "\"" COOLWSD_VERSION_HASH +
|
||||
config.getString("ver_suffix", "") + "\"";
|
||||
|
|
Loading…
Reference in New Issue