Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F14037724
D11820.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
2 KB
Referenced Files
None
Subscribers
None
D11820.diff
View Options
diff --git a/src/aphront/response/AphrontResponse.php b/src/aphront/response/AphrontResponse.php
--- a/src/aphront/response/AphrontResponse.php
+++ b/src/aphront/response/AphrontResponse.php
@@ -24,6 +24,24 @@
$headers[] = array('X-Frame-Options', 'Deny');
}
+ if ($this->getRequest() && $this->getRequest()->isHTTPS()) {
+ $hsts_key = 'security.strict-transport-security';
+ $use_hsts = PhabricatorEnv::getEnvConfig($hsts_key);
+ if ($use_hsts) {
+ $duration = phutil_units('365 days in seconds');
+ } else {
+ // If HSTS has been disabled, tell browsers to turn it off. This may
+ // not be effective because we can only disable it over a valid HTTPS
+ // connection, but it best represents the configured intent.
+ $duration = 0;
+ }
+
+ $headers[] = array(
+ 'Strict-Transport-Security',
+ "max-age={$duration}; includeSubdomains; preload",
+ );
+ }
+
return $headers;
}
diff --git a/src/applications/config/option/PhabricatorSecurityConfigOptions.php b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
--- a/src/applications/config/option/PhabricatorSecurityConfigOptions.php
+++ b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
@@ -223,6 +223,26 @@
pht(
'If you enable this, you are allowing Phabricator to '.
'potentially make requests to external servers.')),
+ $this->newOption('security.strict-transport-security', 'bool', false)
+ ->setLocked(true)
+ ->setBoolOptions(
+ array(
+ pht('Use HSTS'),
+ pht('Do Not Use HSTS'),
+ ))
+ ->setSummary(pht('Enable HTTP Strict Transport Security (HSTS).'))
+ ->setDescription(
+ pht(
+ 'HTTP Strict Transport Security (HSTS) sends a header which '.
+ 'instructs browsers that the site should only be accessed '.
+ 'over HTTPS, never HTTP. This defuses an attack where an '.
+ 'adversary gains access to your network, then proxies requests '.
+ 'through an unsecured link.'.
+ "\n\n".
+ 'Do not enable this option if you serve (or plan to ever serve) '.
+ 'unsecured content over plain HTTP. It is very difficult to '.
+ 'undo this change once users browsers have accepted the '.
+ 'setting.')),
$this->newOption('security.allow-conduit-act-as-user', 'bool', false)
->setBoolOptions(
array(
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Mon, Nov 11, 6:36 PM (1 w, 1 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6726065
Default Alt Text
D11820.diff (2 KB)
Attached To
Mode
D11820: Support HTTP Strict Transport Security
Attached
Detach File
Event Timeline
Log In to Comment