diff options
| author | Marin Jankovski <marin@gitlab.com> | 2015-07-13 11:09:51 +0300 |
|---|---|---|
| committer | Marin Jankovski <marin@gitlab.com> | 2015-07-13 11:09:51 +0300 |
| commit | 64c57502b6c7b2c50b502797bf56c60387bdab39 (patch) | |
| tree | b8eb5b0f14971d2d9e02c33f6b8f71d769c47a48 /app/controllers | |
| parent | ff3b68ac93f3556a45679a928d86fb6fc81cb98b (diff) | |
| parent | f4f216db67e2a02ed8f5057d8a74f77cf2fc8ab2 (diff) | |
Merge branch 'hsts-check-port-443' into 'master'
Only enable HSTS header for HTTPS and port 443
### What does this MR do?
This MR adds a check that the port used is 443, in addition to HTTPS being enabled, when activating the HSTS header.
### Why was this MR needed?
If a user is using a non-standard port for SSL, enabling this header would send clients to port 443 when that port is invalid.
### What are the relevant issue numbers?
Closes https://github.com/gitlabhq/gitlabhq/issues/9449
See merge request !966
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/application_controller.rb | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 8a9d0ce6ff4..362b03e0d5e 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -183,7 +183,10 @@ class ApplicationController < ActionController::Base headers['X-XSS-Protection'] = '1; mode=block' headers['X-UA-Compatible'] = 'IE=edge' headers['X-Content-Type-Options'] = 'nosniff' - headers['Strict-Transport-Security'] = 'max-age=31536000' if Gitlab.config.gitlab.https + # Enabling HSTS for non-standard ports would send clients to the wrong port + if Gitlab.config.gitlab.https and Gitlab.config.gitlab.port == 443 + headers['Strict-Transport-Security'] = 'max-age=31536000' + end end def add_gon_variables |