From 4a85d6d1ead4cf6020148034425b7ea6de0f5899 Mon Sep 17 00:00:00 2001
From: Reed Loden <reed@reedloden.com>
Date: Fri, 25 Jun 2010 20:12:06 -0500
Subject: Bug 562475 - "Bugzilla should use strict-transport-security (STS)
 headers" [r=mkanat a=mkanat]

---
 Bugzilla/CGI.pm       | 6 ++++++
 Bugzilla/Constants.pm | 5 +++++
 2 files changed, 11 insertions(+)

(limited to 'Bugzilla')

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 848f840b2..30f88bd5b 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -285,6 +285,12 @@ sub header {
         unshift(@_, '-cookie' => $self->{Bugzilla_cookie_list});
     }
 
+    # Add Strict-Transport-Security (STS) header if this response
+    # is over SSL and ssl_redirect is enabled.
+    if ($self->https && Bugzilla->params->{'ssl_redirect'}) {
+        unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE);
+    }
+
     return $self->SUPER::header(@_) || "";
 }
 
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm
index 37af78fb0..d11736af1 100644
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -160,6 +160,7 @@ use File::Basename;
     MAX_LOGINCOOKIE_AGE
     MAX_LOGIN_ATTEMPTS
     LOGIN_LOCKOUT_INTERVAL
+    MAX_STS_AGE
 
     SAFE_PROTOCOLS
     LEGAL_CONTENT_TYPES
@@ -421,6 +422,10 @@ use constant MAX_LOGIN_ATTEMPTS => 5;
 # account is locked.
 use constant LOGIN_LOCKOUT_INTERVAL => 30;
 
+# The maximum number of seconds the Strict-Transport-Security header
+# will remain valid. Default is one week.
+use constant MAX_STS_AGE => 604800;
+
 # Protocols which are considered as safe.
 use constant SAFE_PROTOCOLS => ('afs', 'cid', 'ftp', 'gopher', 'http', 'https',
                                 'irc', 'mid', 'news', 'nntp', 'prospero', 'telnet',
-- 
cgit v1.2.3-24-g4f1b