summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorReed Loden <reed@reedloden.com>2010-06-26 03:12:06 +0200
committerReed Loden <reed@reedloden.com>2010-06-26 03:12:06 +0200
commit4a85d6d1ead4cf6020148034425b7ea6de0f5899 (patch)
tree76a62bf83aa9088da952a649a6ac26b618938160
parentd386a4e8d5eeb9936c0d60029d5193dcf547e442 (diff)
downloadbugzilla-4a85d6d1ead4cf6020148034425b7ea6de0f5899.tar.gz
bugzilla-4a85d6d1ead4cf6020148034425b7ea6de0f5899.tar.xz
Bug 562475 - "Bugzilla should use strict-transport-security (STS) headers"
[r=mkanat a=mkanat]
-rw-r--r--Bugzilla/CGI.pm6
-rw-r--r--Bugzilla/Constants.pm5
2 files changed, 11 insertions, 0 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 848f840b2..30f88bd5b 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -285,6 +285,12 @@ sub header {
unshift(@_, '-cookie' => $self->{Bugzilla_cookie_list});
}
+ # Add Strict-Transport-Security (STS) header if this response
+ # is over SSL and ssl_redirect is enabled.
+ if ($self->https && Bugzilla->params->{'ssl_redirect'}) {
+ unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE);
+ }
+
return $self->SUPER::header(@_) || "";
}
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm
index 37af78fb0..d11736af1 100644
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -160,6 +160,7 @@ use File::Basename;
MAX_LOGINCOOKIE_AGE
MAX_LOGIN_ATTEMPTS
LOGIN_LOCKOUT_INTERVAL
+ MAX_STS_AGE
SAFE_PROTOCOLS
LEGAL_CONTENT_TYPES
@@ -421,6 +422,10 @@ use constant MAX_LOGIN_ATTEMPTS => 5;
# account is locked.
use constant LOGIN_LOCKOUT_INTERVAL => 30;
+# The maximum number of seconds the Strict-Transport-Security header
+# will remain valid. Default is one week.
+use constant MAX_STS_AGE => 604800;
+
# Protocols which are considered as safe.
use constant SAFE_PROTOCOLS => ('afs', 'cid', 'ftp', 'gopher', 'http', 'https',
'irc', 'mid', 'news', 'nntp', 'prospero', 'telnet',