diff options
-rw-r--r-- | Bugzilla/CGI.pm | 8 | ||||
-rw-r--r-- | Bugzilla/Config/Advanced.pm | 6 | ||||
-rw-r--r-- | template/en/default/admin/params/advanced.html.tmpl | 16 |
3 files changed, 26 insertions, 4 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index de92cda99..054ba96a0 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -276,8 +276,12 @@ sub header { # Add Strict-Transport-Security (STS) header if this response # is over SSL and the strict_transport_security param is turned on. - if ($self->https && Bugzilla->params->{'strict_transport_security'}) { - unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE); + if ($self->https && Bugzilla->params->{'strict_transport_security'} ne 'off') { + my $sts_opts = 'max-age=' . MAX_STS_AGE; + if (Bugzilla->params->{'strict_transport_security'} eq 'include_subdomains') { + $sts_opts .= '; includeSubDomains'; + } + unshift(@_, '-strict_transport_security' => $sts_opts); } return $self->SUPER::header(@_) || ""; diff --git a/Bugzilla/Config/Advanced.pm b/Bugzilla/Config/Advanced.pm index e15a42963..fada813f1 100644 --- a/Bugzilla/Config/Advanced.pm +++ b/Bugzilla/Config/Advanced.pm @@ -55,8 +55,10 @@ use constant get_param_list => ( { name => 'strict_transport_security', - type => 'b', - default => 0, + type => 's', + choices => ['off', 'this_domain_only', 'include_subdomains'], + default => 'off', + checker => \&check_multi }, ); diff --git a/template/en/default/admin/params/advanced.html.tmpl b/template/en/default/admin/params/advanced.html.tmpl index 10a1fb678..a8e8a297b 100644 --- a/template/en/default/admin/params/advanced.html.tmpl +++ b/template/en/default/admin/params/advanced.html.tmpl @@ -35,6 +35,22 @@ on its domain (i.e., your <code>urlbase</code> is something like <code>http://bugzilla.example.com/</code>), and you never plan to disable the <code>ssl_redirect</code> parameter. + <ul> + <li> + off - Don't send the Strict-Transport-Security header with requests. + </li> + <li> + this_domain_only - Send the Strict-Transport-Security header with all + requests, but only support it for the current domain. + </li> + <li> + include_subdomains - Send the Strict-Transport-Security header along + with the <code>includeSubDomains</code> flag, which will apply the + security change to all subdomains. This is especially useful when + combined with an <code>attachment_base</code> that exists as (a) + subdomain(s) under the main [% terms.Bugzilla %] domain. + </li> + </ul> [% END %] [% param_descs = { |