Add 'includeSubdomains' in HSTS preload header.

Resolves #2049.
Closes #2050.

Co-authored-by: Soham Roy <sohamroy@sohamroy.me>
This commit is contained in:
Sergio Benitez 2022-02-22 18:07:25 -08:00
parent fda05bddd2
commit 8825f936ef
1 changed files with 18 additions and 2 deletions

View File

@ -284,10 +284,21 @@ pub enum Hsts {
/// Like [`Hsts::Enable`], but also apply to all of the site's subdomains.
IncludeSubDomains(Duration),
/// Send a "preload" HSTS header, which requests inclusion in the HSTS
/// preload list. This variant implies [`Hsts::IncludeSubDomains`], which
/// implies [`Hsts::Enable`].
///
/// The provided `Duration` must be _at least_ 365 days. If the duration
/// provided is less than 365 days, the header will be written out with a
/// `max-age` of 365 days.
///
/// # Details
///
/// Google maintains an [HSTS preload service] that can be used to prevent
/// the browser from ever connecting to your site over an insecure
/// connection. Read more at [MDN]. Don't enable this before you have
/// registered your site.
/// registered your site and you ensure that it meets the requirements
/// specified by the preload service.
///
/// [HSTS preload service]: https://hstspreload.org/
/// [MDN]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security
@ -317,7 +328,12 @@ impl From<&Hsts> for Header<'static> {
Hsts::IncludeSubDomains(age) => {
format!("max-age={}; includeSubDomains", age.whole_seconds())
}
Hsts::Preload(age) => format!("max-age={}; preload", age.whole_seconds()),
Hsts::Preload(age) => {
// Google says it needs to be >= 365 days for preload list.
static YEAR: Duration = Duration::seconds(31536000);
format!("max-age={}; includeSubDomains; preload", age.max(&YEAR).whole_seconds())
}
};
Header::new(Hsts::NAME, policy_string)