Merge branch 'hsts-check-port-443' into 'master'

Only enable HSTS header for HTTPS and port 443

### What does this MR do?

This MR adds a check that the port used is 443, in addition to HTTPS being enabled, when activating the HSTS header.

### Why was this MR needed?

If a user is using a non-standard port for SSL, enabling this header would send clients to port 443 when that port is invalid.

### What are the relevant issue numbers?

Closes https://github.com/gitlabhq/gitlabhq/issues/9449

See merge request !966

2 files changed, 5 insertions, 1 deletions

diff --git a/CHANGELOG b/CHANGELOG
index adb1d65c135..54d02aff139 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.13.0 (unreleased)
+  - Only enable HSTS header for HTTPS and port 443 (Stan Hu)
   - Fix user autocomplete for unauthenticated users accessing public projects (Stan Hu)
   - Fix redirection to home page URL for unauthorized users (Daniel Gerhardt)
   - Add branch switching support for graphs (Daniel Gerhardt)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 8a9d0ce6ff4..362b03e0d5e 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -183,7 +183,10 @@ class ApplicationController < ActionController::Base
     headers['X-XSS-Protection'] = '1; mode=block'
     headers['X-UA-Compatible'] = 'IE=edge'
     headers['X-Content-Type-Options'] = 'nosniff'
-    headers['Strict-Transport-Security'] = 'max-age=31536000' if Gitlab.config.gitlab.https
+    # Enabling HSTS for non-standard ports would send clients to the wrong port
+    if Gitlab.config.gitlab.https and Gitlab.config.gitlab.port == 443
+      headers['Strict-Transport-Security'] = 'max-age=31536000'
+    end
   end
 
   def add_gon_variables