safeweb: add StrictTransportSecurityOptions config (#13679)

Add the ability to specify Strict-Transport-Security options in response
to BrowserMux HTTP requests in safeweb.

Updates https://github.com/tailscale/corp/issues/23375

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>

safeweb/http_test.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
 	"github.com/gorilla/csrf"
 )
 
@@ -561,3 +562,50 @@ func TestGetMoreSpecificPattern(t *testing.T) {
 		})
 	}
 }
+
+func TestStrictTransportSecurityOptions(t *testing.T) {
+	tests := []struct {
+		name          string
+		options       string
+		secureContext bool
+		expect        string
+	}{
+		{
+			name: "off by default",
+		},
+		{
+			name:          "default HSTS options in the secure context",
+			secureContext: true,
+			expect:        DefaultStrictTransportSecurityOptions,
+		},
+		{
+			name:          "custom options sent in the secure context",
+			options:       DefaultStrictTransportSecurityOptions + "; includeSubDomains",
+			secureContext: true,
+			expect:        DefaultStrictTransportSecurityOptions + "; includeSubDomains",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			h := &http.ServeMux{}
+			h.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.Write([]byte("ok"))
+			}))
+			s, err := NewServer(Config{BrowserMux: h, SecureContext: tt.secureContext, StrictTransportSecurityOptions: tt.options})
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer s.Close()
+
+			req := httptest.NewRequest("GET", "/", nil)
+			w := httptest.NewRecorder()
+			s.h.Handler.ServeHTTP(w, req)
+			resp := w.Result()
+
+			if cmp.Diff(tt.expect, resp.Header.Get("Strict-Transport-Security")) != "" {
+				t.Fatalf("HSTS want: %q; got: %q", tt.expect, resp.Header.Get("Strict-Transport-Security"))
+			}
+		})
+	}
+}