Enable adding preload tag to HSTS header (#1247)

hchood · vishr · commit 5434a5392f9a · 2019-03-06T10:22:19.000-08:00
diff --git a/middleware/secure.go b/middleware/secure.go
@@ -60,6 +60,12 @@ type (
 		// have occurred instead of blocking the resource.
 		// Optional. Default value false.
 		CSPReportOnly bool `yaml:"csp_report_only"`
+
+		// HSTSPreloadEnabled will add the preload tag in the `Strict Transport Security`
+		// header, which enables the domain to be included in the HSTS preload list
+		// maintained by Chrome (and used by Firefox and Safari): https://hstspreload.org/
+		// Optional.  Default value false.
+		HSTSPreloadEnabled bool `yaml:"hsts_preload_enabled"`
 	}
 )
 
@@ -70,6 +76,7 @@ var (
 		XSSProtection:      "1; mode=block",
 		ContentTypeNosniff: "nosniff",
 		XFrameOptions:      "SAMEORIGIN",
+		HSTSPreloadEnabled: false,
 	}
 )
 
@@ -112,6 +119,9 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc {
 				if !config.HSTSExcludeSubdomains {
 					subdomains = "; includeSubdomains"
 				}
+				if config.HSTSPreloadEnabled {
+					subdomains = fmt.Sprintf("%s; preload", subdomains)
+				}
 				res.Header().Set(echo.HeaderStrictTransportSecurity, fmt.Sprintf("max-age=%d%s", config.HSTSMaxAge, subdomains))
 			}
 			if config.ContentSecurityPolicy != "" {
diff --git a/middleware/secure_test.go b/middleware/secure_test.go
@@ -62,4 +62,25 @@ func TestSecure(t *testing.T) {
 	assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 	assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
+
+	// Custom, with preload option enabled
+	req.Header.Set(echo.HeaderXForwardedProto, "https")
+	rec = httptest.NewRecorder()
+	c = e.NewContext(req, rec)
+	SecureWithConfig(SecureConfig{
+		HSTSMaxAge:         3600,
+		HSTSPreloadEnabled: true,
+	})(h)(c)
+	assert.Equal(t, "max-age=3600; includeSubdomains; preload", rec.Header().Get(echo.HeaderStrictTransportSecurity))
+
+	// Custom, with preload option enabled and subdomains excluded
+	req.Header.Set(echo.HeaderXForwardedProto, "https")
+	rec = httptest.NewRecorder()
+	c = e.NewContext(req, rec)
+	SecureWithConfig(SecureConfig{
+		HSTSMaxAge:            3600,
+		HSTSPreloadEnabled:    true,
+		HSTSExcludeSubdomains: true,
+	})(h)(c)
+	assert.Equal(t, "max-age=3600; preload", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 }

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,12 @@ type (`
`60`	`60`	`// have occurred instead of blocking the resource.`
`61`	`61`	`// Optional. Default value false.`
`62`	`62`	CSPReportOnly bool `yaml:"csp_report_only"`
	`63`	`+`
	`64`	+ // HSTSPreloadEnabled will add the preload tag in the `Strict Transport Security`
	`65`	`+ // header, which enables the domain to be included in the HSTS preload list`
	`66`	`+ // maintained by Chrome (and used by Firefox and Safari): https://hstspreload.org/`
	`67`	`+ // Optional. Default value false.`
	`68`	+ HSTSPreloadEnabled bool `yaml:"hsts_preload_enabled"`
`63`	`69`	`}`
`64`	`70`	`)`
`65`	`71`
`@@ -70,6 +76,7 @@ var (`
`70`	`76`	`XSSProtection: "1; mode=block",`
`71`	`77`	`ContentTypeNosniff: "nosniff",`
`72`	`78`	`XFrameOptions: "SAMEORIGIN",`
	`79`	`+ HSTSPreloadEnabled: false,`
`73`	`80`	`}`
`74`	`81`	`)`
`75`	`82`
`@@ -112,6 +119,9 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc {`
`112`	`119`	`if !config.HSTSExcludeSubdomains {`
`113`	`120`	`subdomains = "; includeSubdomains"`
`114`	`121`	`}`
	`122`	`+ if config.HSTSPreloadEnabled {`
	`123`	`+ subdomains = fmt.Sprintf("%s; preload", subdomains)`
	`124`	`+ }`
`115`	`125`	`res.Header().Set(echo.HeaderStrictTransportSecurity, fmt.Sprintf("max-age=%d%s", config.HSTSMaxAge, subdomains))`
`116`	`126`	`}`
`117`	`127`	`if config.ContentSecurityPolicy != "" {`