Commit 64c57502 authored by Marin Jankovski's avatar Marin Jankovski

Merge branch 'hsts-check-port-443' into 'master'

Only enable HSTS header for HTTPS and port 443

### What does this MR do?

This MR adds a check that the port used is 443, in addition to HTTPS being enabled, when activating the HSTS header.

### Why was this MR needed?

If a user is using a non-standard port for SSL, enabling this header would send clients to port 443 when that port is invalid.

### What are the relevant issue numbers?

Closes https://github.com/gitlabhq/gitlabhq/issues/9449

See merge request !966
parents ff3b68ac f4f216db
Please view this file on the master branch, on stable branches it's out of date. Please view this file on the master branch, on stable branches it's out of date.
v 7.13.0 (unreleased) v 7.13.0 (unreleased)
- Only enable HSTS header for HTTPS and port 443 (Stan Hu)
- Fix user autocomplete for unauthenticated users accessing public projects (Stan Hu) - Fix user autocomplete for unauthenticated users accessing public projects (Stan Hu)
- Fix redirection to home page URL for unauthorized users (Daniel Gerhardt) - Fix redirection to home page URL for unauthorized users (Daniel Gerhardt)
- Add branch switching support for graphs (Daniel Gerhardt) - Add branch switching support for graphs (Daniel Gerhardt)
......
...@@ -183,7 +183,10 @@ class ApplicationController < ActionController::Base ...@@ -183,7 +183,10 @@ class ApplicationController < ActionController::Base
headers['X-XSS-Protection'] = '1; mode=block' headers['X-XSS-Protection'] = '1; mode=block'
headers['X-UA-Compatible'] = 'IE=edge' headers['X-UA-Compatible'] = 'IE=edge'
headers['X-Content-Type-Options'] = 'nosniff' headers['X-Content-Type-Options'] = 'nosniff'
headers['Strict-Transport-Security'] = 'max-age=31536000' if Gitlab.config.gitlab.https # Enabling HSTS for non-standard ports would send clients to the wrong port
if Gitlab.config.gitlab.https and Gitlab.config.gitlab.port == 443
headers['Strict-Transport-Security'] = 'max-age=31536000'
end
end end
def add_gon_variables def add_gon_variables
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment