diff options
-rw-r--r-- | Bugzilla/CGI.pm | 4 | ||||
-rw-r--r-- | Bugzilla/Config/Advanced.pm | 6 | ||||
-rw-r--r-- | template/en/default/admin/params/advanced.html.tmpl | 15 |
3 files changed, 23 insertions, 2 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 295c57bb2..de92cda99 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -275,8 +275,8 @@ sub header { } # Add Strict-Transport-Security (STS) header if this response - # is over SSL and ssl_redirect is enabled. - if ($self->https && Bugzilla->params->{'ssl_redirect'}) { + # is over SSL and the strict_transport_security param is turned on. + if ($self->https && Bugzilla->params->{'strict_transport_security'}) { unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE); } diff --git a/Bugzilla/Config/Advanced.pm b/Bugzilla/Config/Advanced.pm index 1acf76f38..e15a42963 100644 --- a/Bugzilla/Config/Advanced.pm +++ b/Bugzilla/Config/Advanced.pm @@ -52,6 +52,12 @@ use constant get_param_list => ( type => 't', default => '' }, + + { + name => 'strict_transport_security', + type => 'b', + default => 0, + }, ); 1; diff --git a/template/en/default/admin/params/advanced.html.tmpl b/template/en/default/admin/params/advanced.html.tmpl index 4caa2f1dc..2414a46fb 100644 --- a/template/en/default/admin/params/advanced.html.tmpl +++ b/template/en/default/admin/params/advanced.html.tmpl @@ -24,6 +24,19 @@ desc = "Settings for advanced configurations." %] +[% sts_desc = BLOCK %] + Enables the sending of the + <a href="http://en.wikipedia.org/wiki/Strict_Transport_Security">Strict-Transport-Security</a> + header along with HTTP responses on SSL connections. This adds greater + security to your SSL connections by forcing the browser to always + access your domain over SSL and never accept an invalid certificate. + However, it should only be used if you have the <code>ssl_redirect</code> + parameter turned on, Bugzilla is the only thing running + on its domain (i.e., your <code>urlbase</code> is something like + <code>http://bugzilla.example.com/</code>), and you never plan to disable + the <code>ssl_redirect</code> parameter. +[% END %] + [% param_descs = { cookiedomain => "If your website is at 'www.foo.com', setting this to" @@ -47,4 +60,6 @@ _ " necessary to enter its URL if the web server cannot access the" _ " HTTP_PROXY environment variable. If you have to authenticate," _ " use the <code>http://user:pass@proxy_url/</code> syntax.", + + strict_transport_security => sts_desc, } %] |