WIP: Support hsts #7423
WIP: Support hsts #7423
Conversation
GiteaBot
added
the
lgtm/need 2
lunny
force-pushed
the
lunny/support_hsts
branch
from
db50212 to
c0cda33
Compare
routers/routes/routes.go
Outdated
| func createHeaderValueNew(maxAge time.Duration, sendPreloadDirective bool) string { | ||
| buf := bytes.NewBufferString("max-age=") | ||
| buf.WriteString(strconv.Itoa(int(maxAge.Seconds()))) | ||
| buf.WriteString("; includeSubDomains") |
There was a problem hiding this comment.
That means if somebody runs gitea on example.com HSTS policy would apply to *.example.com and their other subdomains will not load in a browser that uses HSTS if they don't have SSL configured. So if they run another service on wiki.example.com that has no SSL it would stop working.
I think we should move this line to ifsendPreloadDirective check since it is required for preload but not required otherwise.
There was a problem hiding this comment.
If use preload then it has to meet the requirements for the other values:
https://hstspreload.org
https://wiki.mozilla.org/SecurityEngineering/HTTP_Strict_Transport_Security_(HSTS)_Preload_List
So Firefox bases their list from Google which requires maxAge >= 1 year and includeSubDomains, but then has separate rules to change it after. I think if a user sets SEND_PRELOAD_DIRECTIVE = true then we should force the other settings to match what Google requires and it will work in all browsers then.
Maybe like this:
if sendPreloadDirective {
if len int(maxAge.Seconds()) < 31536000 {
maxAge = time.Hour * 24 * 365
}
buf := bytes.NewBufferString("max-age=")
buf.WriteString(strconv.Itoa(int(maxAge.Seconds())))
buf.WriteString("; includeSubDomains")
buf.WriteString("; preload")
} else {
buf := bytes.NewBufferString("max-age=")
buf.WriteString(strconv.Itoa(int(maxAge.Seconds())))
if includeSubDomains {
buf.WriteString("; includeSubDomains")
}
}
lunny
force-pushed
the
lunny/support_hsts
branch
from
c0cda33 to
e6d772f
Compare
Codecov Report
@@ Coverage Diff @@
## master #7423 +/- ##
==========================================
- Coverage 41.19% 41.18% -0.01%
==========================================
Files 469 470 +1
Lines 63544 63570 +26
==========================================
+ Hits 26174 26183 +9
- Misses 33948 33965 +17
Partials 3422 3422
Continue to review full report at Codecov.
|
|
Instead of adding a configuration (and useless code) for static HTTP headers, would it be instead possible to just let the user configure static HTTP headers in a separate config section using key-value mapping? Something like: |
I agree, I almost suggested in last response that it would be easier to just let people enter the entire header string rather than try and have different options. It could default to empty and the app.ini sample / config cheat sheet could list some values people might want to enter (like those above). |
|
Thinking about above header format, we could require the keys/header names to be uppercase for consistency with our .ini format and then lowercase them when sending them out (because HTTP headers are case-insensitive). |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions. |
lunny
added
the
issue/confirmed
Not really helping for this PR (I think HSTS should always be a concious user choice) but there's a header for that specific issue. |
As title. Since a gitea service may behind a reverse proxy, we don't know if it's a HTTPS request or a HTTP one. So users could enable it if he knows the service will always use HTTPS.
@techknowlogick Just remember you have implemented the middleware after I wrote the PR. :(
should fix #3788