diff options
-rw-r--r-- | Bugzilla/CGI.pm | 6 | ||||
-rw-r--r-- | Bugzilla/Constants.pm | 5 |
2 files changed, 11 insertions, 0 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 848f840b2..30f88bd5b 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -285,6 +285,12 @@ sub header { unshift(@_, '-cookie' => $self->{Bugzilla_cookie_list}); } + # Add Strict-Transport-Security (STS) header if this response + # is over SSL and ssl_redirect is enabled. + if ($self->https && Bugzilla->params->{'ssl_redirect'}) { + unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE); + } + return $self->SUPER::header(@_) || ""; } diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index 37af78fb0..d11736af1 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -160,6 +160,7 @@ use File::Basename; MAX_LOGINCOOKIE_AGE MAX_LOGIN_ATTEMPTS LOGIN_LOCKOUT_INTERVAL + MAX_STS_AGE SAFE_PROTOCOLS LEGAL_CONTENT_TYPES @@ -421,6 +422,10 @@ use constant MAX_LOGIN_ATTEMPTS => 5; # account is locked. use constant LOGIN_LOCKOUT_INTERVAL => 30; +# The maximum number of seconds the Strict-Transport-Security header +# will remain valid. Default is one week. +use constant MAX_STS_AGE => 604800; + # Protocols which are considered as safe. use constant SAFE_PROTOCOLS => ('afs', 'cid', 'ftp', 'gopher', 'http', 'https', 'irc', 'mid', 'news', 'nntp', 'prospero', 'telnet', |