middleware: fix Strict-Transport-Security header (#17644)

fixes #17641

middleware: fix Strict-Transport-Security header (#17644)
fixes #17641
bd08d8ce · Kyle Brandt · GitHub · 40161584 · bd08d8ce · bd08d8ce
Commit bd08d8ce authored Jun 18, 2019 by Kyle Brandt Committed by GitHub Jun 18, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 37 additions and 4 deletions

pkg/middleware/middleware.go
+4 -4

pkg/middleware/middleware_test.go
+33 -0

No files found.
--- a/pkg/middleware/middleware.go
+++ b/pkg/middleware/middleware.go
@@ -255,14 +255,14 @@ func AddDefaultResponseHeaders() macaron.Handler {
 // AddSecurityHeaders adds various HTTP(S) response headers that enable various security protections behaviors in the client's browser.
 func AddSecurityHeaders(w macaron.ResponseWriter) {
 	if setting.Protocol == setting.HTTPS && setting.StrictTransportSecurity {
-		strictHeader := "Strict-Transport-Security"
-		w.Header().Add(strictHeader, fmt.Sprintf("max-age=%v", setting.StrictTransportSecurityMaxAge))
+		strictHeaderValues := []string{fmt.Sprintf("max-age=%v", setting.StrictTransportSecurityMaxAge)}
 		if setting.StrictTransportSecurityPreload {
-			w.Header().Add(strictHeader, "preload")
+			strictHeaderValues = append(strictHeaderValues, "preload")
 		}
 		if setting.StrictTransportSecuritySubDomains {
-			w.Header().Add(strictHeader, "includeSubDomains")
+			strictHeaderValues = append(strictHeaderValues, "includeSubDomains")
 		}
+		w.Header().Add("Strict-Transport-Security", strings.Join(strictHeaderValues, "; "))
 	}

 	if setting.ContentTypeProtectionHeader {

--- a/pkg/middleware/middleware_test.go
+++ b/pkg/middleware/middleware_test.go
@@ -21,6 +21,39 @@ import (
 	"gopkg.in/macaron.v1"
 )

+func TestMiddleWareSecurityHeaders(t *testing.T) {
+	setting.ERR_TEMPLATE_NAME = "error-template"
+
+	Convey("Given the grafana middleware", t, func() {
+
+		middlewareScenario(t, "middleware should get correct x-xss-protection header", func(sc *scenarioContext) {
+			setting.XSSProtectionHeader = true
+			sc.fakeReq("GET", "/api/").exec()
+			So(sc.resp.Header().Get("X-XSS-Protection"), ShouldEqual, "1; mode=block")
+		})
+
+		middlewareScenario(t, "middleware should not get x-xss-protection when disabled", func(sc *scenarioContext) {
+			setting.XSSProtectionHeader = false
+			sc.fakeReq("GET", "/api/").exec()
+			So(sc.resp.Header().Get("X-XSS-Protection"), ShouldBeEmpty)
+		})
+
+		middlewareScenario(t, "middleware should add correct Strict-Transport-Security header", func(sc *scenarioContext) {
+			setting.StrictTransportSecurity = true
+			setting.Protocol = setting.HTTPS
+			setting.StrictTransportSecurityMaxAge = 64000
+			sc.fakeReq("GET", "/api/").exec()
+			So(sc.resp.Header().Get("Strict-Transport-Security"), ShouldEqual, "max-age=64000")
+			setting.StrictTransportSecurityPreload = true
+			sc.fakeReq("GET", "/api/").exec()
+			So(sc.resp.Header().Get("Strict-Transport-Security"), ShouldEqual, "max-age=64000; preload")
+			setting.StrictTransportSecuritySubDomains = true
+			sc.fakeReq("GET", "/api/").exec()
+			So(sc.resp.Header().Get("Strict-Transport-Security"), ShouldEqual, "max-age=64000; preload; includeSubDomains")
+		})
+	})
+}
+
 func TestMiddlewareContext(t *testing.T) {
 	setting.ERR_TEMPLATE_NAME = "error-template"