ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

set HSTS header on SSL conns 

closes CORE-101

test plan:
 * access canvas not via HTTPS
 * you shouldn't see a Strict-Transport-Security header
 * access via HTTPS (including via a proxy that terminates
   the TLS, like an ELB/ALB)
 * you should see the HSTS header

Change-Id: I75aeda8e2868b82255b9e9f6680db11c0d6a2cd1
Reviewed-on: https://gerrit.instructure.com/132914
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
This commit is contained in:
Cody Cutrer 2017-11-15 11:13:17 -07:00
parent 11448fcd8b
commit 20761e64e1
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/application_controller.rb
View File

@ -473,6 +473,7 @@ class ApplicationController < ActionController::Base
if !files_domain? && Setting.get('block_html_frames', 'true') == 'true' && !@embeddable
headers['X-Frame-Options'] = 'SAMEORIGIN'
end
headers['Strict-Transport-Security'] = 'max-age=31536000' if request.ssl?
RequestContextGenerator.store_request_meta(request, @context)
true
end