Author: rfm
Date: Wed Mar 22 12:56:58 2017
New Revision: 40408
URL: http://svn.gna.org/viewcvs/gnustep?rev=40408&view=rev
Log:
Enable HSTS for 7 days by default. Add methods to get/set HSTS max-age value.
Modified:
libs/webserver/trunk/WebServer.h
libs/webserver/trunk/WebServer.m
libs/webserver/trunk/WebServerConnection.m
Modified: libs/webserver/trunk/WebServer.h
URL:
http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/WebServer.h?rev=40408&r1=40407&r2=40408&view=diff
==============================================================================
--- libs/webserver/trunk/WebServer.h (original)
+++ libs/webserver/trunk/WebServer.h Wed Mar 22 12:56:58 2017
@@ -440,6 +440,7 @@
NSMutableDictionary *_userInfoMap;
NSLock *_incrementalDataLock;
NSMutableDictionary *_incrementalDataMap;
+ NSUInteger _strictTransportSecurity;
void *_reserved;
}
@@ -974,6 +975,16 @@
- (void) setSecureProxy: (BOOL)aFlag;
/**
+ * Specifies the number of seconds HSTS is to be turned on for when responding
+ * to a request on a secure connection (including via a secure proxy).<br />
+ * The Strict-Transport-Security header is automatically set in the response
+ * to any incoming request (but code handling the request may alter that).<br
/>
+ * The default setting is 7 days (604800 seconds), while a setting of zero
+ * turns off HSTS.
+ */
+- (void) setStrictTransportSecurity: (NSUInteger)seconds;
+
+/**
* Sets the maximum recursion depth allowed for substitutions into
* templates. This defaults to 4.
*/
@@ -1037,6 +1048,13 @@
* </p>
*/
- (BOOL) streamData: (NSData*)data withResponse: (WebServerResponse*)response;
+
+/**
+ * Returns the number of seconds set for HSTS for this server.<br />
+ * This will be zero if the server is not using a secure connection or
+ * if HSTS has been disabled by the -setStrictTransportSecurity: method.
+ */
+- (NSUInteger) strictTransportSecurity;
/**
* Perform substitutions replacing the markup in aTemplate with the
Modified: libs/webserver/trunk/WebServer.m
URL:
http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/WebServer.m?rev=40408&r1=40407&r2=40408&view=diff
==============================================================================
--- libs/webserver/trunk/WebServer.m (original)
+++ libs/webserver/trunk/WebServer.m Wed Mar 22 12:56:58 2017
@@ -1649,6 +1649,11 @@
}
}
+- (void) setStrictTransportSecurity: (NSUInteger)seconds
+{
+ _strictTransportSecurity = seconds;
+}
+
- (void) setConnectionTimeout: (NSTimeInterval)aDelay
{
if (aDelay != _connectionTimeout)
@@ -1837,6 +1842,11 @@
[connection release];
return YES;
}
+}
+
+- (NSUInteger) strictTransportSecurity
+{
+ return _strictTransportSecurity;
}
- (BOOL) substituteFrom: (NSString*)aTemplate
@@ -2617,6 +2627,7 @@
_userInfoMap = [NSMutableDictionary new];
_incrementalDataLock = [NSLock new];
_userInfoLock = [NSLock new];
+ _strictTransportSecurity = 604800; // Default is 7 days
/* We need a timer so that the main thread can handle connection
* timeouts.
Modified: libs/webserver/trunk/WebServerConnection.m
URL:
http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/WebServerConnection.m?rev=40408&r1=40407&r2=40408&view=diff
==============================================================================
--- libs/webserver/trunk/WebServerConnection.m (original)
+++ libs/webserver/trunk/WebServerConnection.m Wed Mar 22 12:56:58 2017
@@ -1084,8 +1084,20 @@
{
if (nil == response)
{
+ NSUInteger seconds = [server strictTransportSecurity];
+
response = [WebServerResponse allocWithZone: NSDefaultMallocZone()];
response = [response initWithConnection: self];
+ if (seconds > 0)
+ {
+ NSString *value;
+
+ value = [NSString stringWithFormat: @"max-age=%lu",
+ (unsigned long)seconds];
+ [response setHeader: @"Strict-Transport-Security"
+ value: value
+ parameters: nil];
+ }
}
return response;
}
_______________________________________________
Gnustep-cvs mailing list
[email protected]
https://mail.gna.org/listinfo/gnustep-cvs
