Merge pull request #1035 from mozilla-services/feat/1031

feat: add Strict-Transport-Security header
mozilla-services · Oct 4, 2017 · a933325 · a933325
2 parents a9a1330 + 4e79dce
commit a933325
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 0 deletions.
diff --git a/autopush/config.py b/autopush/config.py
@@ -170,6 +170,9 @@ class AutopushConfig(object):
     # Use the cryptography library
     use_cryptography = attrib(default=False)  # type: bool
 
+    # Strict-Transport-Security max age (Default 1 year in secs)
+    sts_max_age = attrib(default=31536000)  # type: int
+
     def __attrs_post_init__(self):
         """Initialize the Settings object"""
         # Setup hosts/ports/urls
@@ -315,6 +318,7 @@ def from_argparse(cls, ns, **kwargs):
                 cert=ns.ssl_cert,
                 dh_param=ns.ssl_dh_param
             ),
+            sts_max_age=ns.sts_max_age,
             **kwargs
         )
 

diff --git a/autopush/main_argparse.py b/autopush/main_argparse.py
@@ -93,6 +93,10 @@ def add_shared_args(parser):
                         help="Use the cryptography library vs. JOSE",
                         action="store_true",
                         default=False, env_var="USE_CRYPTOGRAPHY")
+    parser.add_argument('--sts_max_age',
+                        help="Max Strict Transport Age in seconds",
+                        type=int, default=31536000,
+                        env_var="STS_MAX_AGE")
     # No ENV because this is for humans
     _add_external_router_args(parser)
     _obsolete_args(parser)

diff --git a/autopush/tests/test_main.py b/autopush/tests/test_main.py
@@ -260,6 +260,7 @@ class TestArg:
         memusage_port = None
         disable_simplepush = True
         use_cryptography = False
+        sts_max_age = 1234
 
     def setUp(self):
         patchers = [

diff --git a/autopush/tests/test_web_base.py b/autopush/tests/test_web_base.py
@@ -116,6 +116,16 @@ def test_cors_options(self):
         eq_(base._headers[ch3], self.CORS_HEADERS)
         eq_(base._headers[ch4], self.CORS_RESPONSE_HEADERS)
 
+    def test_sts_max_age_header(self):
+        args = {"api_ver": "v1", "token": "test"}
+        base = self.base
+        base.conf.sts_max_age = 86400
+        base.prepare()
+        base.options(args)
+        sts_header = base._headers.get("Strict-Transport-Security")
+        ok_("max-age=86400" in sts_header)
+        ok_("includeSubDomains" in sts_header)
+
     def test_write_error(self):
         """ Write error is triggered by sending the app a request
         with an invalid method (e.g. "put" instead of "PUT").

diff --git a/autopush/web/base.py b/autopush/web/base.py
@@ -163,6 +163,12 @@ def prepare(self):
                             ",".join(self.cors_request_headers))
             self.set_header("Access-Control-Expose-Headers",
                             ",".join(self.cors_response_headers))
+        if self.conf.sts_max_age:
+            self.set_header("Strict-Transport-Security",
+                            ";".join([
+                                "max-age={}".format(self.conf.sts_max_age),
+                                "includeSubDomains"
+                                ]))
 
     #############################################################
     #                    Cyclone HTTP Methods