Skip to content

Commit 112ed96

Browse files
mklos-kwmklos-kw
committed
fix: hsts
1 parent 89b653f commit 112ed96

File tree

3 files changed

+42
-1
lines changed

3 files changed

+42
-1
lines changed

changelog/unreleased/http_strict_transport_security.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
Enhancement: HTTP Strict Transport Security
2+
3+
Added Support for HTTP Strict Transport Security. It reduces surface for Man-in-the-Middle attacks or leakage of sensitive information.
4+
5+
https://github.com/owncloud/ocis/pull/11568

services/proxy/pkg/middleware/security.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,7 @@ func Security(cspConfig *config.CSP) func(h http.Handler) http.Handler {
6262
FrameDeny: true,
6363
ReferrerPolicy: "strict-origin-when-cross-origin",
6464
STSSeconds: 315360000,
65+
STSIncludeSubdomains: true,
6566
STSPreload: true,
6667
PermittedCrossDomainPolicies: "none",
6768
RobotTag: "none",

services/proxy/pkg/middleware/security_test.go

Lines changed: 36 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,12 @@
11
package middleware
22

33
import (
4-
"gotest.tools/v3/assert"
4+
"net/http"
5+
"net/http/httptest"
56
"testing"
7+
8+
"github.com/owncloud/ocis/v2/services/proxy/pkg/config"
9+
"gotest.tools/v3/assert"
610
)
711

812
func TestLoadCSPConfig(t *testing.T) {
@@ -25,3 +29,34 @@ directives:
2529
assert.Equal(t, config.Directives["frame-src"][2], "https://onlyoffice.owncloud.test/")
2630
assert.Equal(t, config.Directives["frame-src"][3], "https://collabora.owncloud.test/")
2731
}
32+
33+
func TestStrictTransportSecurity(t *testing.T) {
34+
// Create test handler
35+
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
36+
w.WriteHeader(http.StatusOK)
37+
})
38+
39+
// Use production security middleware config
40+
cspConfig := &config.CSP{
41+
Directives: map[string][]string{
42+
"default-src": {"'none'"},
43+
},
44+
}
45+
securityMiddleware := Security(cspConfig)
46+
47+
// Test HTTPS request, url not important, only headers will be checked
48+
req, err := http.NewRequest("GET", "https://example.com", nil)
49+
if err != nil {
50+
t.Fatal(err)
51+
}
52+
req.Header.Set("X-Forwarded-Proto", "https")
53+
54+
rr := httptest.NewRecorder()
55+
securityMiddleware(handler).ServeHTTP(rr, req)
56+
57+
hstsHeader := rr.Header().Get("Strict-Transport-Security")
58+
59+
// HSTS header should contain includeSubDomains
60+
expected := "max-age=315360000; includeSubDomains; preload"
61+
assert.Equal(t, hstsHeader, expected, "HSTS header missing includeSubDomains directive - subdomains not protected")
62+
}

0 commit comments

Comments
 (0)