Only enable HSTS header for HTTPS and port 443

Closes https://github.com/gitlabhq/gitlabhq/issues/9449

Only enable HSTS header for HTTPS and port 443
Closes https://github.com/gitlabhq/gitlabhq/issues/9449
f4f216db · Stan Hu · d0b24013 · f4f216db · f4f216db
Commit f4f216db authored Jul 12, 2015 by Stan Hu
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

CHANGELOG CHANGELOG +1 -0

app/controllers/application_controller.rb app/controllers/application_controller.rb +4 -1

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
 Please view this file on the master branch, on stable branches it's out of date.
 v 7.13.0 (unreleased)
+  - Only enable HSTS header for HTTPS and port 443 (Stan Hu)
  - Fix user autocomplete for unauthenticated users accessing public projects (Stan Hu)
  - Fix redirection to home page URL for unauthorized users (Daniel Gerhardt)
  - Add branch switching support for graphs (Daniel Gerhardt)

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -183,7 +183,10 @@ class ApplicationController < ActionController::Base
    headers['X-XSS-Protection'] = '1; mode=block'
    headers['X-UA-Compatible'] = 'IE=edge'
    headers['X-Content-Type-Options'] = 'nosniff'
-    headers['Strict-Transport-Security'] = 'max-age=31536000' if Gitlab.config.gitlab.https
+    # Enabling HSTS for non-standard ports would send clients to the wrong port
+    if Gitlab.config.gitlab.https and Gitlab.config.gitlab.port == 443
+      headers['Strict-Transport-Security'] = 'max-age=31536000'
+    end
  end
  def add_gon_variables