From: Jack Allnutt Date: Sun, 18 Mar 2012 20:57:43 +0000 (+0000) Subject: Add support for HTTP Strict Transport Security. X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=164002501918510b693c19be9bfe85415aede0d4;p=KiwiIRC.git Add support for HTTP Strict Transport Security. HSTS forces the browser to only send over HTTPS. Can be enabled/disabled in the configuration file. --- diff --git a/server/app.js b/server/app.js index eaf4633..fa08a42 100755 --- a/server/app.js +++ b/server/app.js @@ -553,10 +553,10 @@ this.rebindIRCCommands = function () { }; -this.httpHandler = function (request, response) { - var uri, uri_parts, subs, useragent, agent, server_set, server, nick, debug, touchscreen, hash, +this.httpHandler = function (request, response, serverconf) { + var uri, uri_parts, subs, useragent, agent, server_set, serverconf, nick, debug, touchscreen, hash, min = {}, public_http_path, port, ssl, obj, args, ircuri, target, modifiers, query, - secure = (typeof request.client.encrypted === 'object'); + secure = serverconf.secure || false; try { if (kiwi.config.handle_http) { @@ -616,6 +616,9 @@ this.httpHandler = function (request, response) { } else { response.setHeader('Content-type', 'application/javascript'); response.setHeader('ETag', kiwi.cache.alljs_hash); + if ((secure) && (serverconf.hsts)) { + response.setHeader("Strict-Transport-Security", "max-age=604 800"); + } response.write(kiwi.cache.alljs); } response.end(); @@ -700,6 +703,9 @@ this.httpHandler = function (request, response) { } else { response.setHeader('Etag', kiwi.cache.html[hash].hash); response.setHeader('Content-type', 'text/html'); + if ((secure) && (serverconf.hsts)) { + response.setHeader("Strict-Transport-Security", "max-age=604 800"); + } response.write(kiwi.cache.html[hash].html); } response.end(); @@ -716,6 +722,9 @@ this.httpHandler = function (request, response) { } else { response.setHeader('Etag', hash2); response.setHeader('Content-type', 'text/html'); + if ((secure) && (serverconf.hsts)) { + response.setHeader("Strict-Transport-Security", "max-age=604 800"); + } response.write(html); } } catch (e) { @@ -768,13 +777,17 @@ this.websocketListen = function (servers, handler) { opts.ca = fs.readFileSync(__dirname + '/' + server.ssl_ca); } - hs = https.createServer(opts, handler); + hs = https.createServer(opts, function (request, response) { + handler(request, response, server); + }); kiwi.io.push(ws.listen(hs, {secure: true})); hs.listen(server.port, server.address); kiwi.log('Listening on ' + server.address + ':' + server.port.toString() + ' with SSL'); } else { // Start some plain-text server up - hs = http.createServer(handler); + hs = http.createServer(function (request, response) { + handler(request, response, server); + }); kiwi.io.push(ws.listen(hs, {secure: false})); hs.listen(server.port, server.address); kiwi.log('Listening on ' + server.address + ':' + server.port.toString() + ' without SSL'); diff --git a/server/config.json b/server/config.json old mode 100644 new mode 100755 index 75a38be..686a384 --- a/server/config.json +++ b/server/config.json @@ -2,6 +2,7 @@ "servers": [ { "secure": true, + "hsts": true, "port": 7777, "address": "0.0.0.0", diff --git a/server/kiwi.js b/server/kiwi.js old mode 100644 new mode 100755 index 1afdb41..a4afaa2 --- a/server/kiwi.js +++ b/server/kiwi.js @@ -130,8 +130,8 @@ if (this.config.handle_http) { this.cache = {alljs: '', html: []}; } this.httpServers = []; -this.httpHandler = function (request, response) { - return app.httpHandler(request, response); +this.httpHandler = function (request, response, server) { + return app.httpHandler(request, response, server); }