From 20761e64e14da0c53880d96b66a0caf22586ed95 Mon Sep 17 00:00:00 2001
From: Cody Cutrer <cody@instructure.com>
Date: Wed, 15 Nov 2017 11:13:17 -0700
Subject: [PATCH] set HSTS header on SSL conns

closes CORE-101

test plan:
 * access canvas not via HTTPS
 * you shouldn't see a Strict-Transport-Security header
 * access via HTTPS (including via a proxy that terminates
   the TLS, like an ELB/ALB)
 * you should see the HSTS header

Change-Id: I75aeda8e2868b82255b9e9f6680db11c0d6a2cd1
Reviewed-on: https://gerrit.instructure.com/132914
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
---
 app/controllers/application_controller.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 8e79517656b..f9417c3a89b 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -473,6 +473,7 @@ class ApplicationController < ActionController::Base
     if !files_domain? && Setting.get('block_html_frames', 'true') == 'true' && !@embeddable
       headers['X-Frame-Options'] = 'SAMEORIGIN'
     end
+    headers['Strict-Transport-Security'] = 'max-age=31536000' if request.ssl?
     RequestContextGenerator.store_request_meta(request, @context)
     true
   end