Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F14059582
D11820.id28489.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
2 KB
Referenced Files
None
Subscribers
None
D11820.id28489.diff
View Options
diff --git a/src/aphront/response/AphrontResponse.php b/src/aphront/response/AphrontResponse.php
--- a/src/aphront/response/AphrontResponse.php
+++ b/src/aphront/response/AphrontResponse.php
@@ -24,6 +24,24 @@
$headers[] = array('X-Frame-Options', 'Deny');
}
+ if ($this->getRequest() && $this->getRequest()->isHTTPS()) {
+ $hsts_key = 'security.strict-transport-security';
+ $use_hsts = PhabricatorEnv::getEnvConfig($hsts_key);
+ if ($use_hsts) {
+ $duration = phutil_units('365 days in seconds');
+ } else {
+ // If HSTS has been disabled, tell browsers to turn it off. This may
+ // not be effective because we can only disable it over a valid HTTPS
+ // connection, but it best represents the configured intent.
+ $duration = 0;
+ }
+
+ $headers[] = array(
+ 'Strict-Transport-Security',
+ "max-age={$duration}; includeSubdomains; preload",
+ );
+ }
+
return $headers;
}
diff --git a/src/applications/config/option/PhabricatorSecurityConfigOptions.php b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
--- a/src/applications/config/option/PhabricatorSecurityConfigOptions.php
+++ b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
@@ -223,6 +223,26 @@
pht(
'If you enable this, you are allowing Phabricator to '.
'potentially make requests to external servers.')),
+ $this->newOption('security.strict-transport-security', 'bool', false)
+ ->setLocked(true)
+ ->setBoolOptions(
+ array(
+ pht('Use HSTS'),
+ pht('Do Not Use HSTS'),
+ ))
+ ->setSummary(pht('Enable HTTP Strict Transport Security (HSTS).'))
+ ->setDescription(
+ pht(
+ 'HTTP Strict Transport Security (HSTS) sends a header which '.
+ 'instructs browsers that the site should only be accessed '.
+ 'over HTTPS, never HTTP. This defuses an attack where an '.
+ 'adversary gains access to your network, then proxies requests '.
+ 'through an unsecured link.'.
+ "\n\n".
+ 'If you serve some unsecured content to users over plain HTTP, '.
+ 'or plan to ever serve content to users over HTTP, you should '.
+ 'be careful about enabling this option. It may be difficult to '.
+ 'put the cat back in the bag.')),
$this->newOption('security.allow-conduit-act-as-user', 'bool', false)
->setBoolOptions(
array(
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Mon, Nov 18, 8:35 PM (1 d, 15 h ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6769637
Default Alt Text
D11820.id28489.diff (2 KB)
Attached To
Mode
D11820: Support HTTP Strict Transport Security
Attached
Detach File
Event Timeline
Log In to Comment