Page MenuHomePhabricator

D11820.id28502.diff
No OneTemporary

D11820.id28502.diff

diff --git a/src/aphront/response/AphrontResponse.php b/src/aphront/response/AphrontResponse.php
--- a/src/aphront/response/AphrontResponse.php
+++ b/src/aphront/response/AphrontResponse.php
@@ -24,6 +24,24 @@
$headers[] = array('X-Frame-Options', 'Deny');
}
+ if ($this->getRequest() && $this->getRequest()->isHTTPS()) {
+ $hsts_key = 'security.strict-transport-security';
+ $use_hsts = PhabricatorEnv::getEnvConfig($hsts_key);
+ if ($use_hsts) {
+ $duration = phutil_units('365 days in seconds');
+ } else {
+ // If HSTS has been disabled, tell browsers to turn it off. This may
+ // not be effective because we can only disable it over a valid HTTPS
+ // connection, but it best represents the configured intent.
+ $duration = 0;
+ }
+
+ $headers[] = array(
+ 'Strict-Transport-Security',
+ "max-age={$duration}; includeSubdomains; preload",
+ );
+ }
+
return $headers;
}
diff --git a/src/applications/config/option/PhabricatorSecurityConfigOptions.php b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
--- a/src/applications/config/option/PhabricatorSecurityConfigOptions.php
+++ b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
@@ -223,6 +223,26 @@
pht(
'If you enable this, you are allowing Phabricator to '.
'potentially make requests to external servers.')),
+ $this->newOption('security.strict-transport-security', 'bool', false)
+ ->setLocked(true)
+ ->setBoolOptions(
+ array(
+ pht('Use HSTS'),
+ pht('Do Not Use HSTS'),
+ ))
+ ->setSummary(pht('Enable HTTP Strict Transport Security (HSTS).'))
+ ->setDescription(
+ pht(
+ 'HTTP Strict Transport Security (HSTS) sends a header which '.
+ 'instructs browsers that the site should only be accessed '.
+ 'over HTTPS, never HTTP. This defuses an attack where an '.
+ 'adversary gains access to your network, then proxies requests '.
+ 'through an unsecured link.'.
+ "\n\n".
+ 'Do not enable this option if you serve (or plan to ever serve) '.
+ 'unsecured content over plain HTTP. It is very difficult to '.
+ 'undo this change once users browsers have accepted the '.
+ 'setting.')),
$this->newOption('security.allow-conduit-act-as-user', 'bool', false)
->setBoolOptions(
array(

File Metadata

Mime Type
text/plain
Expires
Mon, Nov 18, 10:33 AM (2 d, 47 m ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6726065
Default Alt Text
D11820.id28502.diff (2 KB)

Event Timeline