TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-01-08 09:07:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

cmd/derper: enable HSTS when serving over HTTPS.

Browse Source 
Starting with a short lifetime, to verify nothing breaks.

Updates #3373

Signed-off-by: David Anderson <danderson@tailscale.com>
This commit is contained in:
David Anderson 2021-11-22 09:35:17 -08:00 committed by Dave Anderson
parent f76a8d93da
commit 937e96f43d
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/derper/derper.go
View File

@ -235,6 +235,14 @@ func main() {
cert.Certificate = append(cert.Certificate, s.MetaCert()) cert.Certificate = append(cert.Certificate, s.MetaCert())
return cert, nil return cert, nil
} }
httpsrv.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Security scanners get cranky when HTTPS sites don't set
// HSTS. Set it even though derper doesn't really serve
// anything of interest to browsers (and API clients like
// tailscale don't obey HSTS).
w.Header().Set("Strict-Transport-Security", "max-age=600; includeSubDomains")
mux.ServeHTTP(w, r)
})
go func() { go func() {
port80srv := &http.Server{ port80srv := &http.Server{
Addr: net.JoinHostPort(listenHost, "80"), Addr: net.JoinHostPort(listenHost, "80"),