diff options
author | Stan Hu <stanhu@gmail.com> | 2015-07-12 21:37:10 -0700 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2015-07-12 21:37:10 -0700 |
commit | f4f216db67e2a02ed8f5057d8a74f77cf2fc8ab2 (patch) | |
tree | ddd43d8ebc5a1a6ed7a46661c5d2715e9816e272 | |
parent | d0b240136a444a61c3c8960cba33f987022fa0f4 (diff) | |
download | gitlab-ce-f4f216db67e2a02ed8f5057d8a74f77cf2fc8ab2.tar.gz |
Only enable HSTS header for HTTPS and port 443
Closes https://github.com/gitlabhq/gitlabhq/issues/9449
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | app/controllers/application_controller.rb | 5 |
2 files changed, 5 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG index 7d5f186d755..e95c72790d6 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ Please view this file on the master branch, on stable branches it's out of date. v 7.13.0 (unreleased) + - Only enable HSTS header for HTTPS and port 443 (Stan Hu) - Fix user autocomplete for unauthenticated users accessing public projects (Stan Hu) - Fix redirection to home page URL for unauthorized users (Daniel Gerhardt) - Add branch switching support for graphs (Daniel Gerhardt) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 8a9d0ce6ff4..362b03e0d5e 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -183,7 +183,10 @@ class ApplicationController < ActionController::Base headers['X-XSS-Protection'] = '1; mode=block' headers['X-UA-Compatible'] = 'IE=edge' headers['X-Content-Type-Options'] = 'nosniff' - headers['Strict-Transport-Security'] = 'max-age=31536000' if Gitlab.config.gitlab.https + # Enabling HSTS for non-standard ports would send clients to the wrong port + if Gitlab.config.gitlab.https and Gitlab.config.gitlab.port == 443 + headers['Strict-Transport-Security'] = 'max-age=31536000' + end end def add_gon_variables |