dswhite42
commented
5 years ago I think this can be accomplished with the following change. (I'm running this locally now).
$ diff -u server/server.go.dist server/server.go
--- server/server.go.dist 2019-01-29 17:28:54.379518024 -0600
+++ server/server.go 2019-01-29 17:29:38.542969872 -0600
@@ -63,6 +63,7 @@
ContentTypeNosniff: "nosniff",
XFrameOptions: "SAMEORIGIN",
ContentSecurityPolicy: "default-src 'self' blob: https://api.github.com;",
+ HSTSMaxAge: 31536000,
}))
// if auto-redirect is set, forward port 80 to port 443
When Qualys does a vulnerability scan on Goldfish, one of the vulns it reports is "Strict-Transport-Security HTTP Header missing". Could this be added?
Strict-Transport-Security "max-age=63072000; includeSubdomains;"If I read the spec right, this should work both when GoldFish is running in HTTP mode (so the header is ignored) or HTTPS (where it does what it's supposed to).
Thanks!