Add support for HTTP Strict Transport Security header

2025-09-15 18:57:04 +00:00 · 2018-02-03 15:54:02 -08:00 · 2018-02-03 15:54:02 -08:00 · 61bc012a62
commit 61bc012a62
parent 9c42997209
4 changed files with 33 additions and 3 deletions
--- a/http/handler/handler.go
+++ b/http/handler/handler.go
@ -45,7 +45,7 @@ func (h *Handler) Use(f ControllerFunc) http.Handler {

 		ctx := NewContext(r, h.store, h.router, h.translator)
 		request := NewRequest(r)
-		response := NewResponse(w, r, h.template)
+		response := NewResponse(h.cfg, w, r, h.template)
 		language := ctx.UserLanguage()

 		if language != "" {
--- a/http/handler/response.go
+++ b/http/handler/response.go
@ -8,11 +8,13 @@ import (
 	"net/http"
 	"time"

+	"github.com/miniflux/miniflux/config"
 	"github.com/miniflux/miniflux/template"
 )

 // Response handles HTTP responses.
 type Response struct {
+	cfg      *config.Config
 	writer   http.ResponseWriter
 	request  *http.Request
 	template *template.Engine
@ -74,9 +76,13 @@ func (r *Response) commonHeaders() {
 	// Even if the directive "frame-src" has been deprecated in Firefox,
 	// we keep it to stay compatible with other browsers.
 	r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *")
+
+	if r.cfg.IsHTTPS && r.cfg.HasHSTS() {
+		r.writer.Header().Set("Strict-Transport-Security", "max-age=31536000")
+	}
 }

 // NewResponse returns a new Response.
-func NewResponse(w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
-	return &Response{writer: w, request: r, template: template}
+func NewResponse(cfg *config.Config, w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
+	return &Response{cfg: cfg, writer: w, request: r, template: template}
 }