2 files changed, 21 insertions, 0 deletions

diff --git a/service/pixelated/config/site.py b/service/pixelated/config/site.py
index e28daf16..8806366a 100644
--- a/service/pixelated/config/site.py
+++ b/service/pixelated/config/site.py
@@ -8,6 +8,10 @@ class AddCSPHeaderRequest(Request):
         self.setHeader("Content-Security-Policy", self.HEADER_VALUES)
         self.setHeader("X-Content-Security-Policy", self.HEADER_VALUES)
         self.setHeader("X-Webkit-CSP", self.HEADER_VALUES)
+
+        if self.isSecure():
+            self.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
+
         Request.process(self)
 
 
diff --git a/service/test/unit/config/test_site.py b/service/test/unit/config/test_site.py
index 1858bfaf..83464e89 100644
--- a/service/test/unit/config/test_site.py
+++ b/service/test/unit/config/test_site.py
@@ -15,6 +15,23 @@ class TestPixelatedSite(unittest.TestCase):
         self.assertEqual(headers.get("X-Content-Security-Policy"), header_value)
         self.assertEqual(headers.get("X-Webkit-CSP"), header_value)
 
+    def test_add_strict_transport_security_header_if_secure(self):
+        request = self.create_request()
+        request._forceSSL = True
+
+        request.process()
+
+        headers = request.headers
+        self.assertEqual('max-age=31536000; includeSubDomains', headers.get('Strict-Transport-Security'))
+
+    def test_does_not_add_strict_transport_security_header_if_plain_http(self):
+        request = self.create_request()
+
+        request.process()
+
+        headers = request.headers
+        self.assertFalse('Strict-Transport-Security' in headers)
+
     def create_request(self):
         channel = LineReceiver()
         channel.site = PixelatedSite(mock())