Only enable HSTS header for HTTPS and port 443

Closes https://github.com/gitlabhq/gitlabhq/issues/9449
author: Stan Hu <stanhu@gmail.com> 2015-07-12 21:37:10 -0700
committer: Stan Hu <stanhu@gmail.com> 2015-07-12 21:37:10 -0700
commit: f4f216db67e2a02ed8f5057d8a74f77cf2fc8ab2 (patch)
tree: ddd43d8ebc5a1a6ed7a46661c5d2715e9816e272 /app
parent: d0b240136a444a61c3c8960cba33f987022fa0f4 (diff)
download: gitlab-ce-f4f216db67e2a02ed8f5057d8a74f77cf2fc8ab2.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 8a9d0ce6ff4..362b03e0d5e 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -183,7 +183,10 @@ class ApplicationController < ActionController::Base
     headers['X-XSS-Protection'] = '1; mode=block'
     headers['X-UA-Compatible'] = 'IE=edge'
     headers['X-Content-Type-Options'] = 'nosniff'
-    headers['Strict-Transport-Security'] = 'max-age=31536000' if Gitlab.config.gitlab.https
+    # Enabling HSTS for non-standard ports would send clients to the wrong port
+    if Gitlab.config.gitlab.https and Gitlab.config.gitlab.port == 443
+      headers['Strict-Transport-Security'] = 'max-age=31536000'
+    end
   end
 
   def add_gon_variables
author	Stan Hu <stanhu@gmail.com>	2015-07-12 21:37:10 -0700
committer	Stan Hu <stanhu@gmail.com>	2015-07-12 21:37:10 -0700
commit	f4f216db67e2a02ed8f5057d8a74f77cf2fc8ab2 (patch)
tree	ddd43d8ebc5a1a6ed7a46661c5d2715e9816e272 /app
parent	d0b240136a444a61c3c8960cba33f987022fa0f4 (diff)
download	gitlab-ce-f4f216db67e2a02ed8f5057d8a74f77cf2fc8ab2.tar.gz