feat: Add option to enable hsts header (#6147)

Emyrk · web-flow · commit 6189035e9899 · 2023-02-10T10:52:49.000-06:00
* feat: Add option to enable hsts header
* Update golden files
diff --git a/cli/deployment/config.go b/cli/deployment/config.go
@@ -374,6 +374,20 @@ func newConfig() *codersdk.DeploymentConfig {
 			Usage: "Controls if the 'Secure' property is set on browser session cookies.",
 			Flag:  "secure-auth-cookie",
 		},
+		StrictTransportSecurity: &codersdk.DeploymentConfigField[int]{
+			Name: "Strict-Transport-Security",
+			Usage: "Controls if the 'Strict-Transport-Security' header is set on all static file responses. " +
+				"This header should only be set if the server is accessed via HTTPS. This value is the MaxAge in seconds of " +
+				"the header.",
+			Default: 0,
+			Flag:    "strict-transport-security",
+		},
+		StrictTransportSecurityOptions: &codersdk.DeploymentConfigField[[]string]{
+			Name: "Strict-Transport-Security Options",
+			Usage: "Two optional fields can be set in the Strict-Transport-Security header; 'includeSubDomains' and 'preload'. " +
+				"The 'strict-transport-security' flag must be set to a non-zero value for these options to be used.",
+			Flag: "strict-transport-security-options",
+		},
 		SSHKeygenAlgorithm: &codersdk.DeploymentConfigField[string]{
 			Name:    "SSH Keygen Algorithm",
 			Usage:   "The algorithm to use for generating ssh keys. Accepted values are \"ed25519\", \"ecdsa\", or \"rsa4096\".",
diff --git a/cli/server.go b/cli/server.go
@@ -485,6 +485,13 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
 				options.TLSCertificates = tlsConfig.Certificates
 			}
 
+			if cfg.StrictTransportSecurity.Value > 0 {
+				options.StrictTransportSecurityCfg, err = httpmw.HSTSConfigOptions(cfg.StrictTransportSecurity.Value, cfg.StrictTransportSecurityOptions.Value)
+				if err != nil {
+					return xerrors.Errorf("coderd: setting hsts header failed (options: %v): %w", cfg.StrictTransportSecurityOptions.Value, err)
+				}
+			}
+
 			if cfg.UpdateCheck.Value {
 				options.UpdateCheckOptions = &updatecheck.Options{
 					// Avoid spamming GitHub API checking for updates.
diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden
@@ -280,6 +280,23 @@ Flags:
                                                           "ed25519", "ecdsa", or "rsa4096".
                                                           Consumes $CODER_SSH_KEYGEN_ALGORITHM
                                                           (default "ed25519")
+      --strict-transport-security int                     Controls if the
+                                                          'Strict-Transport-Security' header
+                                                          is set on all static file responses.
+                                                          This header should only be set if
+                                                          the server is accessed via HTTPS.
+                                                          This value is the MaxAge in seconds
+                                                          of the header.
+                                                          Consumes $CODER_STRICT_TRANSPORT_SECURITY
+      --strict-transport-security-options strings         Two optional fields can be set in
+                                                          the Strict-Transport-Security
+                                                          header; 'includeSubDomains' and
+                                                          'preload'. The
+                                                          'strict-transport-security' flag
+                                                          must be set to a non-zero value for
+                                                          these options to be used.
+                                                          Consumes
+                                                          $CODER_STRICT_TRANSPORT_SECURITY_OPTIONS
       --swagger-enable                                    Expose the swagger endpoint via
                                                           /swagger.
                                                           Consumes $CODER_SWAGGER_ENABLE
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -103,6 +103,7 @@ type Options struct {
 	OIDCConfig                     *OIDCConfig
 	PrometheusRegistry             *prometheus.Registry
 	SecureAuthCookie               bool
+	StrictTransportSecurityCfg     httpmw.HSTSConfig
 	SSHKeygenAlgorithm             gitsshkey.Algorithm
 	Telemetry                      telemetry.Reporter
 	TracerProvider                 trace.TracerProvider
@@ -222,12 +223,18 @@ func New(options *Options) *API {
 		options.MetricsCacheRefreshInterval,
 	)
 
+	staticHandler := site.Handler(site.FS(), binFS, binHashes)
+	// Static file handler must be wrapped with HSTS handler if the
+	// StrictTransportSecurityAge is set. We only need to set this header on
+	// static files since it only affects browsers.
+	staticHandler = httpmw.HSTS(staticHandler, options.StrictTransportSecurityCfg)
+
 	r := chi.NewRouter()
 	api := &API{
 		ID:          uuid.New(),
 		Options:     options,
 		RootHandler: r,
-		siteHandler: site.Handler(site.FS(), binFS, binHashes),
+		siteHandler: staticHandler,
 		HTTPAuth: &HTTPAuthorizer{
 			Authorizer: options.Authorizer,
 			Logger:     options.Logger,
diff --git a/coderd/httpmw/hsts.go b/coderd/httpmw/hsts.go
@@ -0,0 +1,72 @@
+package httpmw
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"golang.org/x/xerrors"
+)
+
+const (
+	hstsHeader = "Strict-Transport-Security"
+)
+
+type HSTSConfig struct {
+	// HeaderValue is an empty string if hsts header is disabled.
+	HeaderValue string
+}
+
+func HSTSConfigOptions(maxAge int, options []string) (HSTSConfig, error) {
+	if maxAge <= 0 {
+		// No header, so no need to build the header string.
+		return HSTSConfig{}, nil
+	}
+
+	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+	var str strings.Builder
+	_, err := str.WriteString(fmt.Sprintf("max-age=%d", maxAge))
+	if err != nil {
+		return HSTSConfig{}, xerrors.Errorf("hsts: write max-age: %w", err)
+	}
+
+	for _, option := range options {
+		switch {
+		// Only allow valid options and fix any casing mistakes
+		case strings.EqualFold(option, "includeSubDomains"):
+			option = "includeSubDomains"
+		case strings.EqualFold(option, "preload"):
+			option = "preload"
+		default:
+			return HSTSConfig{}, xerrors.Errorf("hsts: invalid option: %q. Must be 'preload' and/or 'includeSubDomains'", option)
+		}
+		_, err = str.WriteString("; " + option)
+		if err != nil {
+			return HSTSConfig{}, xerrors.Errorf("hsts: write option: %w", err)
+		}
+	}
+	return HSTSConfig{
+		HeaderValue: str.String(),
+	}, nil
+}
+
+// HSTS will add the strict-transport-security header if enabled. This header
+// forces a browser to always use https for the domain after it loads https once.
+// Meaning: On first load of product.coder.com, they are redirected to https. On
+// all subsequent loads, the client's local browser forces https. This prevents
+// man in the middle.
+//
+// This header only makes sense if the app is using tls.
+//
+// Full header example:
+// Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
+func HSTS(next http.Handler, cfg HSTSConfig) http.Handler {
+	if cfg.HeaderValue == "" {
+		// No header, so no need to wrap the handler.
+		return next
+	}
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set(hstsHeader, cfg.HeaderValue)
+		next.ServeHTTP(w, r)
+	})
+}
diff --git a/coderd/httpmw/hsts_test.go b/coderd/httpmw/hsts_test.go
@@ -0,0 +1,103 @@
+package httpmw_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd/httpmw"
+)
+
+func TestHSTS(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		Name    string
+		MaxAge  int
+		Options []string
+
+		wantErr      bool
+		expectHeader string
+	}{
+		{
+			Name:    "Empty",
+			MaxAge:  0,
+			Options: nil,
+		},
+		{
+			Name:    "NoAge",
+			MaxAge:  0,
+			Options: []string{"includeSubDomains"},
+		},
+		{
+			Name:    "NegativeAge",
+			MaxAge:  -100,
+			Options: []string{"includeSubDomains"},
+		},
+		{
+			Name:         "Age",
+			MaxAge:       1000,
+			Options:      []string{},
+			expectHeader: "max-age=1000",
+		},
+		{
+			Name:   "AgeSubDomains",
+			MaxAge: 1000,
+			// Mess with casing
+			Options:      []string{"INCLUDESUBDOMAINS"},
+			expectHeader: "max-age=1000; includeSubDomains",
+		},
+		{
+			Name:         "AgePreload",
+			MaxAge:       1000,
+			Options:      []string{"Preload"},
+			expectHeader: "max-age=1000; preload",
+		},
+		{
+			Name:         "AllOptions",
+			MaxAge:       1000,
+			Options:      []string{"preload", "includeSubDomains"},
+			expectHeader: "max-age=1000; preload; includeSubDomains",
+		},
+
+		// Error values
+		{
+			Name:    "BadOption",
+			MaxAge:  100,
+			Options: []string{"not-valid"},
+			wantErr: true,
+		},
+		{
+			Name:    "BadOptions",
+			MaxAge:  100,
+			Options: []string{"includeSubDomains", "not-valid", "still-not-valid"},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.Name, func(t *testing.T) {
+			t.Parallel()
+
+			handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			})
+
+			cfg, err := httpmw.HSTSConfigOptions(tt.MaxAge, tt.Options)
+			if tt.wantErr {
+				require.Error(t, err, "Expect error, HSTS(%v, %v)", tt.MaxAge, tt.Options)
+				return
+			}
+			require.NoError(t, err, "Expect no error, HSTS(%v, %v)", tt.MaxAge, tt.Options)
+
+			got := httpmw.HSTS(handler, cfg)
+			req := httptest.NewRequest("GET", "/", nil)
+			res := httptest.NewRecorder()
+			got.ServeHTTP(res, req)
+			
+			require.Equal(t, tt.expectHeader, res.Header().Get("Strict-Transport-Security"), "expected header value")
+		})
+	}
+}
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -126,6 +126,8 @@ type DeploymentConfig struct {
 	TLS                             *TLSConfig                              `json:"tls" typescript:",notnull"`
 	Trace                           *TraceConfig                            `json:"trace" typescript:",notnull"`
 	SecureAuthCookie                *DeploymentConfigField[bool]            `json:"secure_auth_cookie" typescript:",notnull"`
+	StrictTransportSecurity         *DeploymentConfigField[int]             `json:"strict_transport_security" typescript:",notnull"`
+	StrictTransportSecurityOptions  *DeploymentConfigField[[]string]        `json:"strict_transport_security_options" typescript:",notnull"`
 	SSHKeygenAlgorithm              *DeploymentConfigField[string]          `json:"ssh_keygen_algorithm" typescript:",notnull"`
 	MetricsCacheRefreshInterval     *DeploymentConfigField[time.Duration]   `json:"metrics_cache_refresh_interval" typescript:",notnull"`
 	AgentStatRefreshInterval        *DeploymentConfigField[time.Duration]   `json:"agent_stat_refresh_interval" typescript:",notnull"`
diff --git a/docs/api/general.md b/docs/api/general.md
@@ -857,6 +857,28 @@ curl -X GET http://coder-server:8080/api/v2/config/deployment \
     "usage": "string",
     "value": "string"
   },
+  "strict_transport_security": {
+    "default": 0,
+    "enterprise": true,
+    "flag": "string",
+    "hidden": true,
+    "name": "string",
+    "secret": true,
+    "shorthand": "string",
+    "usage": "string",
+    "value": 0
+  },
+  "strict_transport_security_options": {
+    "default": ["string"],
+    "enterprise": true,
+    "flag": "string",
+    "hidden": true,
+    "name": "string",
+    "secret": true,
+    "shorthand": "string",
+    "usage": "string",
+    "value": ["string"]
+  },
   "swagger": {
     "enable": {
       "default": true,
diff --git a/docs/api/schemas.md b/docs/api/schemas.md
@@ -2256,6 +2256,28 @@ CreateParameterRequest is a structure used to create a new parameter value for a
     "usage": "string",
     "value": "string"
   },
+  "strict_transport_security": {
+    "default": 0,
+    "enterprise": true,
+    "flag": "string",
+    "hidden": true,
+    "name": "string",
+    "secret": true,
+    "shorthand": "string",
+    "usage": "string",
+    "value": 0
+  },
+  "strict_transport_security_options": {
+    "default": ["string"],
+    "enterprise": true,
+    "flag": "string",
+    "hidden": true,
+    "name": "string",
+    "secret": true,
+    "shorthand": "string",
+    "usage": "string",
+    "value": ["string"]
+  },
   "swagger": {
     "enable": {
       "default": true,
@@ -2515,6 +2537,8 @@ CreateParameterRequest is a structure used to create a new parameter value for a
 | `scim_api_key`                       | [codersdk.DeploymentConfigField-string](#codersdkdeploymentconfigfield-string)                                             | false    |              |                                                 |
 | `secure_auth_cookie`                 | [codersdk.DeploymentConfigField-bool](#codersdkdeploymentconfigfield-bool)                                                 | false    |              |                                                 |
 | `ssh_keygen_algorithm`               | [codersdk.DeploymentConfigField-string](#codersdkdeploymentconfigfield-string)                                             | false    |              |                                                 |
+| `strict_transport_security`          | [codersdk.DeploymentConfigField-int](#codersdkdeploymentconfigfield-int)                                                   | false    |              |                                                 |
+| `strict_transport_security_options`  | [codersdk.DeploymentConfigField-array_string](#codersdkdeploymentconfigfield-array_string)                                 | false    |              |                                                 |
 | `swagger`                            | [codersdk.SwaggerConfig](#codersdkswaggerconfig)                                                                           | false    |              |                                                 |
 | `telemetry`                          | [codersdk.TelemetryConfig](#codersdktelemetryconfig)                                                                       | false    |              |                                                 |
 | `tls`                                | [codersdk.TLSConfig](#codersdktlsconfig)                                                                                   | false    |              |                                                 |
diff --git a/docs/cli/coder_server.md b/docs/cli/coder_server.md
@@ -118,6 +118,10 @@ coder server [flags]
                                                           Consumes $CODER_MAX_SESSION_EXPIRY (default 24h0m0s)
       --ssh-keygen-algorithm string                       The algorithm to use for generating ssh keys. Accepted values are "ed25519", "ecdsa", or "rsa4096".
                                                           Consumes $CODER_SSH_KEYGEN_ALGORITHM (default "ed25519")
+      --strict-transport-security int                     Controls if the 'Strict-Transport-Security' header is set on all static file responses. This header should only be set if the server is accessed via HTTPS. This value is the MaxAge in seconds of the header.
+                                                          Consumes $CODER_STRICT_TRANSPORT_SECURITY
+      --strict-transport-security-options strings         Two optional fields can be set in the Strict-Transport-Security header; 'includeSubDomains' and 'preload'. The 'strict-transport-security' flag must be set to a non-zero value for these options to be used.
+                                                          Consumes $CODER_STRICT_TRANSPORT_SECURITY_OPTIONS
       --swagger-enable                                    Expose the swagger endpoint via /swagger.
                                                           Consumes $CODER_SWAGGER_ENABLE
       --telemetry                                         Whether telemetry is enabled or not. Coder collects anonymized usage data to help improve our product.
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
@@ -309,6 +309,8 @@ export interface DeploymentConfig {
   readonly tls: TLSConfig
   readonly trace: TraceConfig
   readonly secure_auth_cookie: DeploymentConfigField<boolean>
+  readonly strict_transport_security: DeploymentConfigField<number>
+  readonly strict_transport_security_options: DeploymentConfigField<string[]>
   readonly ssh_keygen_algorithm: DeploymentConfigField<string>
   readonly metrics_cache_refresh_interval: DeploymentConfigField<number>
   readonly agent_stat_refresh_interval: DeploymentConfigField<number>
