diff options
author | bentley <bentley@openbsd.org> | 2018-10-15 08:16:17 +0000 |
---|---|---|
committer | bentley <bentley@openbsd.org> | 2018-10-15 08:16:17 +0000 |
commit | ae30f9e2395a5e4dd0e7c83fe693ad5dcbd086f2 (patch) | |
tree | d459b1c17c11881e851a596ab3bfc5a00acba67f /usr.sbin/httpd | |
parent | Add join tests (diff) | |
download | wireguard-openbsd-ae30f9e2395a5e4dd0e7c83fe693ad5dcbd086f2.tar.xz wireguard-openbsd-ae30f9e2395a5e4dd0e7c83fe693ad5dcbd086f2.zip |
Omit HSTS headers over unencrypted connections, per RFC 6797.
ok florian@
Diffstat (limited to 'usr.sbin/httpd')
-rw-r--r-- | usr.sbin/httpd/server_fcgi.c | 5 | ||||
-rw-r--r-- | usr.sbin/httpd/server_http.c | 8 |
2 files changed, 8 insertions, 5 deletions
diff --git a/usr.sbin/httpd/server_fcgi.c b/usr.sbin/httpd/server_fcgi.c index 17fab77c493..e0a23fc627a 100644 --- a/usr.sbin/httpd/server_fcgi.c +++ b/usr.sbin/httpd/server_fcgi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_fcgi.c,v 1.76 2018/05/19 13:56:56 jsing Exp $ */ +/* $OpenBSD: server_fcgi.c,v 1.77 2018/10/15 08:16:17 bentley Exp $ */ /* * Copyright (c) 2014 Florian Obser <florian@openbsd.org> @@ -655,7 +655,8 @@ server_fcgi_header(struct client *clt, unsigned int code) return (-1); /* HSTS header */ - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) { + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && + srv_conf->flags & SRVFLAG_TLS) { if ((cl = kv_add(&resp->http_headers, "Strict-Transport-Security", NULL)) == NULL || diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c index bc0f754e0aa..1f1a03d06e2 100644 --- a/usr.sbin/httpd/server_http.c +++ b/usr.sbin/httpd/server_http.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_http.c,v 1.125 2018/10/11 09:52:22 benno Exp $ */ +/* $OpenBSD: server_http.c,v 1.126 2018/10/15 08:16:17 bentley Exp $ */ /* * Copyright (c) 2006 - 2018 Reyk Floeter <reyk@openbsd.org> @@ -950,7 +950,8 @@ server_abort_http(struct client *clt, unsigned int code, const char *msg) goto done; } - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) { + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && + srv_conf->flags & SRVFLAG_TLS) { if (asprintf(&hstsheader, "Strict-Transport-Security: " "max-age=%d%s%s\r\n", srv_conf->hsts_max_age, srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ? @@ -1452,7 +1453,8 @@ server_response_http(struct client *clt, unsigned int code, return (-1); /* HSTS header */ - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) { + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && + srv_conf->flags & SRVFLAG_TLS) { if ((cl = kv_add(&resp->http_headers, "Strict-Transport-Security", NULL)) == NULL || |