luci-base: append Strict-Transport-Security header on https

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. So the header will only be send if luci is accessed over HTTPS. The "max-age" expire time could be configured in "/etc/config/luci" main section with the option "stricthttps". Signed-off-by: Florian Eckert <fe@dev.tdt.de>
openwrt · Jan 16, 2018 · aa8415f · aa8415f
1 parent cfea69a
commit aa8415f
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
@@ -418,6 +418,13 @@ function dispatch(request)
 		ctx.authsession = sid
 		ctx.authtoken = sdat.token
 		ctx.authuser = sdat.username
+
+		if http.getenv("HTTPS") == "on" then
+			local httpsexpire = conf.main.stricthttps
+			if httpsexpire then
+				http.header("Strict-Transport-Security", 'max-age=%s' % httpsexpire)
+			end
+		end
 	end
 
 	if c and require_post_security(c.target) then