Enable adding preload tag to HSTS header

hchood · hchood · commit 22a985972ba9 · 2019-01-03T11:47:10.000-05:00
diff --git a/middleware/secure.go b/middleware/secure.go
@@ -53,6 +53,12 @@ type (
 		// trusted web page context.
 		// Optional. Default value "".
 		ContentSecurityPolicy string `yaml:"content_security_policy"`
+
+		// HSTSPreloadEnabled will add the preload tag in the `Strict Transport Security`
+		// header, which enables the domain to be included in the HSTS preload list
+		// maintained by Chrome (and used by Firefox and Safari): https://hstspreload.org/
+		// Optional.  Default value false.
+		HSTSPreloadEnabled bool `yaml:"hsts_preload_enabled"`
 	}
 )
 
@@ -63,6 +69,7 @@ var (
 		XSSProtection:      "1; mode=block",
 		ContentTypeNosniff: "nosniff",
 		XFrameOptions:      "SAMEORIGIN",
+		HSTSPreloadEnabled: false,
 	}
 )
 
@@ -105,6 +112,9 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc {
 				if !config.HSTSExcludeSubdomains {
 					subdomains = "; includeSubdomains"
 				}
+				if config.HSTSPreloadEnabled {
+					subdomains = fmt.Sprintf("%s; preload", subdomains)
+				}
 				res.Header().Set(echo.HeaderStrictTransportSecurity, fmt.Sprintf("max-age=%d%s", config.HSTSMaxAge, subdomains))
 			}
 			if config.ContentSecurityPolicy != "" {
diff --git a/middleware/secure_test.go b/middleware/secure_test.go
@@ -42,4 +42,25 @@ func TestSecure(t *testing.T) {
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))
 	assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 	assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicy))
+
+	// Custom, with preload option enabled
+	req.Header.Set(echo.HeaderXForwardedProto, "https")
+	rec = httptest.NewRecorder()
+	c = e.NewContext(req, rec)
+	SecureWithConfig(SecureConfig{
+		HSTSMaxAge:         3600,
+		HSTSPreloadEnabled: true,
+	})(h)(c)
+	assert.Equal(t, "max-age=3600; includeSubdomains; preload", rec.Header().Get(echo.HeaderStrictTransportSecurity))
+
+	// Custom, with preload option enabled and subdomains excluded
+	req.Header.Set(echo.HeaderXForwardedProto, "https")
+	rec = httptest.NewRecorder()
+	c = e.NewContext(req, rec)
+	SecureWithConfig(SecureConfig{
+		HSTSMaxAge:            3600,
+		HSTSPreloadEnabled:    true,
+		HSTSExcludeSubdomains: true,
+	})(h)(c)
+	assert.Equal(t, "max-age=3600; preload", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 }

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,12 @@ type (`
`53`	`53`	`// trusted web page context.`
`54`	`54`	`// Optional. Default value "".`
`55`	`55`	ContentSecurityPolicy string `yaml:"content_security_policy"`
	`56`	`+`
	`57`	+ // HSTSPreloadEnabled will add the preload tag in the `Strict Transport Security`
	`58`	`+ // header, which enables the domain to be included in the HSTS preload list`
	`59`	`+ // maintained by Chrome (and used by Firefox and Safari): https://hstspreload.org/`
	`60`	`+ // Optional. Default value false.`
	`61`	+ HSTSPreloadEnabled bool `yaml:"hsts_preload_enabled"`
`56`	`62`	`}`
`57`	`63`	`)`
`58`	`64`
`@@ -63,6 +69,7 @@ var (`
`63`	`69`	`XSSProtection: "1; mode=block",`
`64`	`70`	`ContentTypeNosniff: "nosniff",`
`65`	`71`	`XFrameOptions: "SAMEORIGIN",`
	`72`	`+ HSTSPreloadEnabled: false,`
`66`	`73`	`}`
`67`	`74`	`)`
`68`	`75`
`@@ -105,6 +112,9 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc {`
`105`	`112`	`if !config.HSTSExcludeSubdomains {`
`106`	`113`	`subdomains = "; includeSubdomains"`
`107`	`114`	`}`
	`115`	`+ if config.HSTSPreloadEnabled {`
	`116`	`+ subdomains = fmt.Sprintf("%s; preload", subdomains)`
	`117`	`+ }`
`108`	`118`	`res.Header().Set(echo.HeaderStrictTransportSecurity, fmt.Sprintf("max-age=%d%s", config.HSTSMaxAge, subdomains))`
`109`	`119`	`}`
`110`	`120`	`if config.ContentSecurityPolicy != "" {`