Skip to content

Commit 68ad2a1

Browse files
jbrockoppjbrockopp
authored
fix(api): always set Strict-Transport-Security header (#644)
1 parent 8db1ffd commit 68ad2a1

File tree

2 files changed

+3
-6
lines changed

2 files changed

+3
-6
lines changed

router/middleware/header.go

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -51,12 +51,9 @@ func Secure(c *gin.Context) {
5151
c.Header("X-Frame-Options", "DENY")
5252
c.Header("X-Content-Type-Options", "nosniff")
5353
c.Header("X-XSS-Protection", "1; mode=block")
54-
55-
// Also consider adding Content-Security-Policy headers
54+
// TODO: consider adding Content-Security-Policy headers
5655
// c.Header("Content-Security-Policy", "script-src 'self' https://cdnjs.cloudflare.com")
57-
if c.Request.TLS != nil {
58-
c.Header("Strict-Transport-Security", "max-age=31536000")
59-
}
56+
c.Header("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload")
6057
}
6158

6259
// Cors is a middleware function that appends headers for

router/middleware/header_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -267,7 +267,7 @@ func TestMiddleware_Secure_TLS(t *testing.T) {
267267
wantFrameOptions := "DENY"
268268
wantContentTypeOptions := "nosniff"
269269
wantProtection := "1; mode=block"
270-
wantSecurity := "max-age=31536000"
270+
wantSecurity := "max-age=63072000; includeSubDomains; preload"
271271

272272
// setup context
273273
gin.SetMode(gin.TestMode)

0 commit comments

Comments
 (0)