Author: rfm Date: Wed Mar 22 12:56:58 2017 New Revision: 40408 URL: http://svn.gna.org/viewcvs/gnustep?rev=40408&view=rev Log: Enable HSTS for 7 days by default. Add methods to get/set HSTS max-age value.
Modified: libs/webserver/trunk/WebServer.h libs/webserver/trunk/WebServer.m libs/webserver/trunk/WebServerConnection.m Modified: libs/webserver/trunk/WebServer.h URL: http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/WebServer.h?rev=40408&r1=40407&r2=40408&view=diff ============================================================================== --- libs/webserver/trunk/WebServer.h (original) +++ libs/webserver/trunk/WebServer.h Wed Mar 22 12:56:58 2017 @@ -440,6 +440,7 @@ NSMutableDictionary *_userInfoMap; NSLock *_incrementalDataLock; NSMutableDictionary *_incrementalDataMap; + NSUInteger _strictTransportSecurity; void *_reserved; } @@ -974,6 +975,16 @@ - (void) setSecureProxy: (BOOL)aFlag; /** + * Specifies the number of seconds HSTS is to be turned on for when responding + * to a request on a secure connection (including via a secure proxy).<br /> + * The Strict-Transport-Security header is automatically set in the response + * to any incoming request (but code handling the request may alter that).<br /> + * The default setting is 7 days (604800 seconds), while a setting of zero + * turns off HSTS. + */ +- (void) setStrictTransportSecurity: (NSUInteger)seconds; + +/** * Sets the maximum recursion depth allowed for substitutions into * templates. This defaults to 4. */ @@ -1037,6 +1048,13 @@ * </p> */ - (BOOL) streamData: (NSData*)data withResponse: (WebServerResponse*)response; + +/** + * Returns the number of seconds set for HSTS for this server.<br /> + * This will be zero if the server is not using a secure connection or + * if HSTS has been disabled by the -setStrictTransportSecurity: method. + */ +- (NSUInteger) strictTransportSecurity; /** * Perform substitutions replacing the markup in aTemplate with the Modified: libs/webserver/trunk/WebServer.m URL: http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/WebServer.m?rev=40408&r1=40407&r2=40408&view=diff ============================================================================== --- libs/webserver/trunk/WebServer.m (original) +++ libs/webserver/trunk/WebServer.m Wed Mar 22 12:56:58 2017 @@ -1649,6 +1649,11 @@ } } +- (void) setStrictTransportSecurity: (NSUInteger)seconds +{ + _strictTransportSecurity = seconds; +} + - (void) setConnectionTimeout: (NSTimeInterval)aDelay { if (aDelay != _connectionTimeout) @@ -1837,6 +1842,11 @@ [connection release]; return YES; } +} + +- (NSUInteger) strictTransportSecurity +{ + return _strictTransportSecurity; } - (BOOL) substituteFrom: (NSString*)aTemplate @@ -2617,6 +2627,7 @@ _userInfoMap = [NSMutableDictionary new]; _incrementalDataLock = [NSLock new]; _userInfoLock = [NSLock new]; + _strictTransportSecurity = 604800; // Default is 7 days /* We need a timer so that the main thread can handle connection * timeouts. Modified: libs/webserver/trunk/WebServerConnection.m URL: http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/WebServerConnection.m?rev=40408&r1=40407&r2=40408&view=diff ============================================================================== --- libs/webserver/trunk/WebServerConnection.m (original) +++ libs/webserver/trunk/WebServerConnection.m Wed Mar 22 12:56:58 2017 @@ -1084,8 +1084,20 @@ { if (nil == response) { + NSUInteger seconds = [server strictTransportSecurity]; + response = [WebServerResponse allocWithZone: NSDefaultMallocZone()]; response = [response initWithConnection: self]; + if (seconds > 0) + { + NSString *value; + + value = [NSString stringWithFormat: @"max-age=%lu", + (unsigned long)seconds]; + [response setHeader: @"Strict-Transport-Security" + value: value + parameters: nil]; + } } return response; } _______________________________________________ Gnustep-cvs mailing list Gnustep-cvs@gna.org https://mail.gna.org/listinfo/gnustep-cvs