safeweb: add StrictTransportSecurityOptions config (#13679)

Add the ability to specify Strict-Transport-Security options in response to BrowserMux HTTP requests in safeweb. Updates https://github.com/tailscale/corp/issues/23375 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
2025-08-21 02:17:36 +00:00 · 2024-10-03 19:38:29 +01:00
parent dc60c8d786
commit a3c6a3a34f
2 changed files with 61 additions and 0 deletions
--- a/safeweb/http.go
+++ b/safeweb/http.go
@@ -94,6 +94,10 @@ var defaultCSP = strings.Join([]string{
 	`object-src 'self'`,       // disallow embedding of resources from other origins
 }, "; ")

+// The default Strict-Transport-Security header. This header tells the browser
+// to exclusively use HTTPS for all requests to the origin for the next year.
+var DefaultStrictTransportSecurityOptions = "max-age=31536000"
+
 // Config contains the configuration for a safeweb server.
 type Config struct {
 	// SecureContext specifies whether the Server is running in a secure (HTTPS) context.
@@ -134,6 +138,12 @@ type Config struct {
 	// CookiesSameSiteLax specifies whether to use SameSite=Lax in cookies. The
 	// default is to set SameSite=Strict.
 	CookiesSameSiteLax bool
+
+	// StrictTransportSecurityOptions specifies optional directives for the
+	// Strict-Transport-Security header sent in response to requests made to the
+	// BrowserMux when SecureContext is true.
+	// If empty, it defaults to max-age of 1 year.
+	StrictTransportSecurityOptions string
 }

 func (c *Config) setDefaults() error {
@@ -274,6 +284,9 @@ func (s *Server) serveBrowser(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Security-Policy", s.csp)
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Referer-Policy", "same-origin")
+	if s.SecureContext {
+		w.Header().Set("Strict-Transport-Security", cmp.Or(s.StrictTransportSecurityOptions, DefaultStrictTransportSecurityOptions))
+	}
 	s.csrfProtect(s.BrowserMux).ServeHTTP(w, r)
 }