summaryrefslogtreecommitdiff
path: root/service
diff options
context:
space:
mode:
authorFolker Bernitt <fbernitt@thoughtworks.com>2016-01-28 14:41:25 +0100
committerFolker Bernitt <fbernitt@thoughtworks.com>2016-01-28 14:41:25 +0100
commit991ccef69286551c56f1c7519f45dbeed82b6b52 (patch)
treee20aeb6d558a4bc95f0566ba61cea4b0bf612c62 /service
parent36a9354b49062a8eb8c2737d8580f38d17391642 (diff)
Add Strict-Transport-Security header to user agent
- Issue #584
Diffstat (limited to 'service')
-rw-r--r--service/pixelated/config/site.py4
-rw-r--r--service/test/unit/config/test_site.py17
2 files changed, 21 insertions, 0 deletions
diff --git a/service/pixelated/config/site.py b/service/pixelated/config/site.py
index e28daf16..8806366a 100644
--- a/service/pixelated/config/site.py
+++ b/service/pixelated/config/site.py
@@ -8,6 +8,10 @@ class AddCSPHeaderRequest(Request):
self.setHeader("Content-Security-Policy", self.HEADER_VALUES)
self.setHeader("X-Content-Security-Policy", self.HEADER_VALUES)
self.setHeader("X-Webkit-CSP", self.HEADER_VALUES)
+
+ if self.isSecure():
+ self.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
+
Request.process(self)
diff --git a/service/test/unit/config/test_site.py b/service/test/unit/config/test_site.py
index 1858bfaf..83464e89 100644
--- a/service/test/unit/config/test_site.py
+++ b/service/test/unit/config/test_site.py
@@ -15,6 +15,23 @@ class TestPixelatedSite(unittest.TestCase):
self.assertEqual(headers.get("X-Content-Security-Policy"), header_value)
self.assertEqual(headers.get("X-Webkit-CSP"), header_value)
+ def test_add_strict_transport_security_header_if_secure(self):
+ request = self.create_request()
+ request._forceSSL = True
+
+ request.process()
+
+ headers = request.headers
+ self.assertEqual('max-age=31536000; includeSubDomains', headers.get('Strict-Transport-Security'))
+
+ def test_does_not_add_strict_transport_security_header_if_plain_http(self):
+ request = self.create_request()
+
+ request.process()
+
+ headers = request.headers
+ self.assertFalse('Strict-Transport-Security' in headers)
+
def create_request(self):
channel = LineReceiver()
channel.site = PixelatedSite(mock())