From 991ccef69286551c56f1c7519f45dbeed82b6b52 Mon Sep 17 00:00:00 2001 From: Folker Bernitt Date: Thu, 28 Jan 2016 14:41:25 +0100 Subject: Add Strict-Transport-Security header to user agent - Issue #584 --- service/pixelated/config/site.py | 4 ++++ service/test/unit/config/test_site.py | 17 +++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/service/pixelated/config/site.py b/service/pixelated/config/site.py index e28daf16..8806366a 100644 --- a/service/pixelated/config/site.py +++ b/service/pixelated/config/site.py @@ -8,6 +8,10 @@ class AddCSPHeaderRequest(Request): self.setHeader("Content-Security-Policy", self.HEADER_VALUES) self.setHeader("X-Content-Security-Policy", self.HEADER_VALUES) self.setHeader("X-Webkit-CSP", self.HEADER_VALUES) + + if self.isSecure(): + self.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains') + Request.process(self) diff --git a/service/test/unit/config/test_site.py b/service/test/unit/config/test_site.py index 1858bfaf..83464e89 100644 --- a/service/test/unit/config/test_site.py +++ b/service/test/unit/config/test_site.py @@ -15,6 +15,23 @@ class TestPixelatedSite(unittest.TestCase): self.assertEqual(headers.get("X-Content-Security-Policy"), header_value) self.assertEqual(headers.get("X-Webkit-CSP"), header_value) + def test_add_strict_transport_security_header_if_secure(self): + request = self.create_request() + request._forceSSL = True + + request.process() + + headers = request.headers + self.assertEqual('max-age=31536000; includeSubDomains', headers.get('Strict-Transport-Security')) + + def test_does_not_add_strict_transport_security_header_if_plain_http(self): + request = self.create_request() + + request.process() + + headers = request.headers + self.assertFalse('Strict-Transport-Security' in headers) + def create_request(self): channel = LineReceiver() channel.site = PixelatedSite(mock()) -- cgit v1.2.3