From ae30f9e2395a5e4dd0e7c83fe693ad5dcbd086f2 Mon Sep 17 00:00:00 2001
From: bentley <bentley@openbsd.org>
Date: Mon, 15 Oct 2018 08:16:17 +0000
Subject: Omit HSTS headers over unencrypted connections, per RFC 6797.

ok florian@
---
 usr.sbin/httpd/server_fcgi.c | 5 +++--
 usr.sbin/httpd/server_http.c | 8 +++++---
 2 files changed, 8 insertions(+), 5 deletions(-)

(limited to 'usr.sbin/httpd')

diff --git a/usr.sbin/httpd/server_fcgi.c b/usr.sbin/httpd/server_fcgi.c
index 17fab77c493..e0a23fc627a 100644
--- a/usr.sbin/httpd/server_fcgi.c
+++ b/usr.sbin/httpd/server_fcgi.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server_fcgi.c,v 1.76 2018/05/19 13:56:56 jsing Exp $	*/
+/*	$OpenBSD: server_fcgi.c,v 1.77 2018/10/15 08:16:17 bentley Exp $	*/
 
 /*
  * Copyright (c) 2014 Florian Obser <florian@openbsd.org>
@@ -655,7 +655,8 @@ server_fcgi_header(struct client *clt, unsigned int code)
 		return (-1);
 
 	/* HSTS header */
-	if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
+	if (srv_conf->flags & SRVFLAG_SERVER_HSTS &&
+	    srv_conf->flags & SRVFLAG_TLS) {
 		if ((cl =
 		    kv_add(&resp->http_headers, "Strict-Transport-Security",
 		    NULL)) == NULL ||
diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c
index bc0f754e0aa..1f1a03d06e2 100644
--- a/usr.sbin/httpd/server_http.c
+++ b/usr.sbin/httpd/server_http.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server_http.c,v 1.125 2018/10/11 09:52:22 benno Exp $	*/
+/*	$OpenBSD: server_http.c,v 1.126 2018/10/15 08:16:17 bentley Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2018 Reyk Floeter <reyk@openbsd.org>
@@ -950,7 +950,8 @@ server_abort_http(struct client *clt, unsigned int code, const char *msg)
 		goto done;
 	}
 
-	if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
+	if (srv_conf->flags & SRVFLAG_SERVER_HSTS &&
+	    srv_conf->flags & SRVFLAG_TLS) {
 		if (asprintf(&hstsheader, "Strict-Transport-Security: "
 		    "max-age=%d%s%s\r\n", srv_conf->hsts_max_age,
 		    srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ?
@@ -1452,7 +1453,8 @@ server_response_http(struct client *clt, unsigned int code,
 		return (-1);
 
 	/* HSTS header */
-	if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
+	if (srv_conf->flags & SRVFLAG_SERVER_HSTS &&
+	    srv_conf->flags & SRVFLAG_TLS) {
 		if ((cl =
 		    kv_add(&resp->http_headers, "Strict-Transport-Security",
 		    NULL)) == NULL ||
-- 
cgit v1.2.3-59-g8ed1b