diff options
author | Reed Loden <reed@reedloden.com> | 2010-06-26 03:12:06 +0200 |
---|---|---|
committer | Reed Loden <reed@reedloden.com> | 2010-06-26 03:12:06 +0200 |
commit | 4a85d6d1ead4cf6020148034425b7ea6de0f5899 (patch) | |
tree | 76a62bf83aa9088da952a649a6ac26b618938160 | |
parent | d386a4e8d5eeb9936c0d60029d5193dcf547e442 (diff) | |
download | bugzilla-4a85d6d1ead4cf6020148034425b7ea6de0f5899.tar.gz bugzilla-4a85d6d1ead4cf6020148034425b7ea6de0f5899.tar.xz |
Bug 562475 - "Bugzilla should use strict-transport-security (STS) headers"
[r=mkanat a=mkanat]
-rw-r--r-- | Bugzilla/CGI.pm | 6 | ||||
-rw-r--r-- | Bugzilla/Constants.pm | 5 |
2 files changed, 11 insertions, 0 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 848f840b2..30f88bd5b 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -285,6 +285,12 @@ sub header { unshift(@_, '-cookie' => $self->{Bugzilla_cookie_list}); } + # Add Strict-Transport-Security (STS) header if this response + # is over SSL and ssl_redirect is enabled. + if ($self->https && Bugzilla->params->{'ssl_redirect'}) { + unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE); + } + return $self->SUPER::header(@_) || ""; } diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index 37af78fb0..d11736af1 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -160,6 +160,7 @@ use File::Basename; MAX_LOGINCOOKIE_AGE MAX_LOGIN_ATTEMPTS LOGIN_LOCKOUT_INTERVAL + MAX_STS_AGE SAFE_PROTOCOLS LEGAL_CONTENT_TYPES @@ -421,6 +422,10 @@ use constant MAX_LOGIN_ATTEMPTS => 5; # account is locked. use constant LOGIN_LOCKOUT_INTERVAL => 30; +# The maximum number of seconds the Strict-Transport-Security header +# will remain valid. Default is one week. +use constant MAX_STS_AGE => 604800; + # Protocols which are considered as safe. use constant SAFE_PROTOCOLS => ('afs', 'cid', 'ftp', 'gopher', 'http', 'https', 'irc', 'mid', 'news', 'nntp', 'prospero', 'telnet', |