cmd/godoc: set Strict-Transport-Security header in production

adg · adg · commit c9a2436076cc · 2016-05-02T17:22:30.000Z
This coerces browsers into enforcing HTTPS-only for golang.org. Change-Id: I91a4cc64b10b9836ef5623314a3cf22a54033dc2 Reviewed-on: https://go-review.googlesource.com/22673 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
diff --git a/cmd/godoc/handlers.go b/cmd/godoc/handlers.go
@@ -54,6 +54,7 @@ func (h hostEnforcerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, r.URL.String(), http.StatusFound)
 		return
 	}
+	w.Header().Set("Strict-Transport-Security", "max-age=31536000; preload")
 	h.h.ServeHTTP(w, r)
 }
 

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,7 @@ func (h hostEnforcerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {`
`54`	`54`	`http.Redirect(w, r, r.URL.String(), http.StatusFound)`
`55`	`55`	`return`
`56`	`56`	`}`
	`57`	`+ w.Header().Set("Strict-Transport-Security", "max-age=31536000; preload")`
`57`	`58`	`h.h.ServeHTTP(w, r)`
`58`	`59`	`}`
`59`	`60`