Bug 594990: Make the Strict-Transport-Security HTTP header only be sent

if a particular parameter is enabled. r=glob, a=mkanat
author: Max Kanat-Alexander <mkanat@bugzilla.org> 2010-09-28 05:16:57 +0200
committer: Max Kanat-Alexander <mkanat@bugzilla.org> 2010-09-28 05:16:57 +0200
commit: f64efa79bd78ab59cb65588feacf93e0de475e48 (patch)
tree: 5d38efa3cc9da3dbcce08c975adc55a525570b86 /Bugzilla
parent: 707573450030f45f33ac464d393749d32c55ae73 (diff)
download: bugzilla-f64efa79bd78ab59cb65588feacf93e0de475e48.tar.gz
bugzilla-f64efa79bd78ab59cb65588feacf93e0de475e48.tar.xz
2 files changed, 8 insertions, 2 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 295c57bb2..de92cda99 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -275,8 +275,8 @@ sub header {
     }
 
     # Add Strict-Transport-Security (STS) header if this response
-    # is over SSL and ssl_redirect is enabled.
-    if ($self->https && Bugzilla->params->{'ssl_redirect'}) {
+    # is over SSL and the strict_transport_security param is turned on.
+    if ($self->https && Bugzilla->params->{'strict_transport_security'}) {
         unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE);
     }
 
diff --git a/Bugzilla/Config/Advanced.pm b/Bugzilla/Config/Advanced.pm
index 1acf76f38..e15a42963 100644
--- a/Bugzilla/Config/Advanced.pm
+++ b/Bugzilla/Config/Advanced.pm
@@ -52,6 +52,12 @@ use constant get_param_list => (
    type => 't',
    default => ''
   },
+
+  {
+   name => 'strict_transport_security',
+   type => 'b',
+   default => 0,
+  },
 );
 
 1;
author	Max Kanat-Alexander <mkanat@bugzilla.org>	2010-09-28 05:16:57 +0200
committer	Max Kanat-Alexander <mkanat@bugzilla.org>	2010-09-28 05:16:57 +0200
commit	f64efa79bd78ab59cb65588feacf93e0de475e48 (patch)
tree	5d38efa3cc9da3dbcce08c975adc55a525570b86 /Bugzilla
parent	707573450030f45f33ac464d393749d32c55ae73 (diff)
download	bugzilla-f64efa79bd78ab59cb65588feacf93e0de475e48.tar.gz bugzilla-f64efa79bd78ab59cb65588feacf93e0de475e48.tar.xz