[OpenWrt-Devel] [PATCH 1/2] services/uhttpd: add Strict-Transport-Security option
Florian Eckert
fe at dev.tdt.de
Thu Aug 2 05:16:02 EDT 2018
This is a web security policy mechanism that helps to protect websites
against protocol downgrade attacks and cookie hijacking.
HSTS is an IETF standards track protocol and is specified in RFC 6797.
This patch will add the possibility to specify a max-age with the option
-P on uhttp start. If the option is set and https is enabled then force
the client with the Strict-Transport-Securtiy header for the specified
time only communicate over https for this content.
This is a follow up request from:
https://github.com/openwrt/luci/pull/1555
Signed-off-by: Florian Eckert <fe at dev.tdt.de>
---
...-Strict-Transport-Security-header-max-age.patch | 55 ++++++++++++++++++++++
1 file changed, 55 insertions(+)
create mode 100644 package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch
diff --git a/package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch b/package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch
new file mode 100644
index 0000000000..b64b991ce3
--- /dev/null
+++ b/package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch
@@ -0,0 +1,55 @@
+--- a/main.c
++++ b/main.c
+@@ -135,6 +135,7 @@ static int usage(const char *name)
+ " -C file ASN.1 server certificate file\n"
+ " -K file ASN.1 server private key file\n"
+ " -q Redirect all HTTP requests to HTTPS\n"
++ " -P seconds Set Strict-Transport-Security header max-age\n"
+ #endif
+ " -h directory Specify the document root, default is '.'\n"
+ " -E string Use given virtual URL as 404 error handler\n"
+@@ -232,7 +233,7 @@ int main(int argc, char **argv)
+ init_defaults_pre();
+ signal(SIGPIPE, SIG_IGN);
+
+- while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
++ while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
+ switch(ch) {
+ #ifdef HAVE_TLS
+ case 'C':
+@@ -247,6 +248,10 @@ int main(int argc, char **argv)
+ conf.tls_redirect = 1;
+ break;
+
++ case 'P':
++ conf.hsts = atoi(optarg);
++ break;
++
+ case 's':
+ n_tls++;
+ /* fall through */
+--- a/uhttpd.h
++++ b/uhttpd.h
+@@ -64,6 +64,7 @@ struct config {
+ const char *lua_prefix;
+ const char *ubus_prefix;
+ const char *ubus_socket;
++ int hsts;
+ int no_symlinks;
+ int no_dirlists;
+ int network_timeout;
+--- a/client.c
++++ b/client.c
+@@ -64,6 +64,12 @@ void uh_http_header(struct client *cl, i
+ http_versions[cl->request.version],
+ code, summary, conn, enc);
+
++ if (( cl->tls ) && ( conf.hsts > 0 )) {
++ ustream_printf(cl->us,
++ "Strict-Transport-Security: max-age=%d\r\n",
++ conf.hsts);
++ }
++
+ if (!r->connection_close)
+ ustream_printf(cl->us, "Keep-Alive: timeout=%d\r\n", conf.http_keepalive);
+
--
2.11.0
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list