summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Bugzilla/CGI.pm4
-rw-r--r--Bugzilla/Config/Advanced.pm6
-rw-r--r--template/en/default/admin/params/advanced.html.tmpl15
3 files changed, 23 insertions, 2 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 295c57bb2..de92cda99 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -275,8 +275,8 @@ sub header {
}
# Add Strict-Transport-Security (STS) header if this response
- # is over SSL and ssl_redirect is enabled.
- if ($self->https && Bugzilla->params->{'ssl_redirect'}) {
+ # is over SSL and the strict_transport_security param is turned on.
+ if ($self->https && Bugzilla->params->{'strict_transport_security'}) {
unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE);
}
diff --git a/Bugzilla/Config/Advanced.pm b/Bugzilla/Config/Advanced.pm
index 1acf76f38..e15a42963 100644
--- a/Bugzilla/Config/Advanced.pm
+++ b/Bugzilla/Config/Advanced.pm
@@ -52,6 +52,12 @@ use constant get_param_list => (
type => 't',
default => ''
},
+
+ {
+ name => 'strict_transport_security',
+ type => 'b',
+ default => 0,
+ },
);
1;
diff --git a/template/en/default/admin/params/advanced.html.tmpl b/template/en/default/admin/params/advanced.html.tmpl
index 4caa2f1dc..2414a46fb 100644
--- a/template/en/default/admin/params/advanced.html.tmpl
+++ b/template/en/default/admin/params/advanced.html.tmpl
@@ -24,6 +24,19 @@
desc = "Settings for advanced configurations."
%]
+[% sts_desc = BLOCK %]
+ Enables the sending of the
+ <a href="http://en.wikipedia.org/wiki/Strict_Transport_Security">Strict-Transport-Security</a>
+ header along with HTTP responses on SSL connections. This adds greater
+ security to your SSL connections by forcing the browser to always
+ access your domain over SSL and never accept an invalid certificate.
+ However, it should only be used if you have the <code>ssl_redirect</code>
+ parameter turned on, Bugzilla is the only thing running
+ on its domain (i.e., your <code>urlbase</code> is something like
+ <code>http://bugzilla.example.com/</code>), and you never plan to disable
+ the <code>ssl_redirect</code> parameter.
+[% END %]
+
[% param_descs = {
cookiedomain =>
"If your website is at 'www.foo.com', setting this to"
@@ -47,4 +60,6 @@
_ " necessary to enter its URL if the web server cannot access the"
_ " HTTP_PROXY environment variable. If you have to authenticate,"
_ " use the <code>http://user:pass@proxy_url/</code> syntax.",
+
+ strict_transport_security => sts_desc,
} %]