feat: Add option to enable hsts header

Emyrk · Emyrk · commit 643f42ac1a5b · 2023-02-09T21:14:59.000-06:00
diff --git a/cli/deployment/config.go b/cli/deployment/config.go
@@ -374,6 +374,19 @@ func newConfig() *codersdk.DeploymentConfig {
 			Usage: "Controls if the 'Secure' property is set on browser session cookies.",
 			Flag:  "secure-auth-cookie",
 		},
+		StrictTransportSecurity: &codersdk.DeploymentConfigField[int]{
+			Name: "Strict-Transport-Security",
+			Usage: "Controls if the 'Strict-Transport-Security' header is set on all responses. " +
+				"This header should only be set if the server is accessed via HTTPS. The value should be a whole number in seconds.",
+			Default: 0,
+			Flag:    "strict-transport-security",
+		},
+		StrictTransportSecurityOptions: &codersdk.DeploymentConfigField[[]string]{
+			Name: "Strict-Transport-Security Options",
+			Usage: "Two optional fields can be set in the Strict-Transport-Security header; 'includeSubDomains' and 'preload'. " +
+				"The 'strict-transport-security' flag must be set to a non-zero value for these options to be used.",
+			Flag: "strict-transport-security-options",
+		},
 		SSHKeygenAlgorithm: &codersdk.DeploymentConfigField[string]{
 			Name:    "SSH Keygen Algorithm",
 			Usage:   "The algorithm to use for generating ssh keys. Accepted values are \"ed25519\", \"ecdsa\", or \"rsa4096\".",
diff --git a/cli/server.go b/cli/server.go
@@ -457,29 +457,31 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
 			}
 
 			options := &coderd.Options{
-				AccessURL:                   accessURLParsed,
-				AppHostname:                 appHostname,
-				AppHostnameRegex:            appHostnameRegex,
-				Logger:                      logger.Named("coderd"),
-				Database:                    dbfake.New(),
-				DERPMap:                     derpMap,
-				Pubsub:                      database.NewPubsubInMemory(),
-				CacheDir:                    cacheDir,
-				GoogleTokenValidator:        googleTokenValidator,
-				GitAuthConfigs:              gitAuthConfigs,
-				RealIPConfig:                realIPConfig,
-				SecureAuthCookie:            cfg.SecureAuthCookie.Value,
-				SSHKeygenAlgorithm:          sshKeygenAlgorithm,
-				TracerProvider:              tracerProvider,
-				Telemetry:                   telemetry.NewNoop(),
-				MetricsCacheRefreshInterval: cfg.MetricsCacheRefreshInterval.Value,
-				AgentStatsRefreshInterval:   cfg.AgentStatRefreshInterval.Value,
-				DeploymentConfig:            cfg,
-				PrometheusRegistry:          prometheus.NewRegistry(),
-				APIRateLimit:                cfg.RateLimit.API.Value,
-				LoginRateLimit:              loginRateLimit,
-				FilesRateLimit:              filesRateLimit,
-				HTTPClient:                  httpClient,
+				AccessURL:                      accessURLParsed,
+				AppHostname:                    appHostname,
+				AppHostnameRegex:               appHostnameRegex,
+				Logger:                         logger.Named("coderd"),
+				Database:                       dbfake.New(),
+				DERPMap:                        derpMap,
+				Pubsub:                         database.NewPubsubInMemory(),
+				CacheDir:                       cacheDir,
+				GoogleTokenValidator:           googleTokenValidator,
+				GitAuthConfigs:                 gitAuthConfigs,
+				RealIPConfig:                   realIPConfig,
+				SecureAuthCookie:               cfg.SecureAuthCookie.Value,
+				StrictTransportSecurityAge:     cfg.StrictTransportSecurity.Value,
+				StrictTransportSecurityOptions: cfg.StrictTransportSecurityOptions.Value,
+				SSHKeygenAlgorithm:             sshKeygenAlgorithm,
+				TracerProvider:                 tracerProvider,
+				Telemetry:                      telemetry.NewNoop(),
+				MetricsCacheRefreshInterval:    cfg.MetricsCacheRefreshInterval.Value,
+				AgentStatsRefreshInterval:      cfg.AgentStatRefreshInterval.Value,
+				DeploymentConfig:               cfg,
+				PrometheusRegistry:             prometheus.NewRegistry(),
+				APIRateLimit:                   cfg.RateLimit.API.Value,
+				LoginRateLimit:                 loginRateLimit,
+				FilesRateLimit:                 filesRateLimit,
+				HTTPClient:                     httpClient,
 			}
 			if tlsConfig != nil {
 				options.TLSCertificates = tlsConfig.Certificates
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -103,6 +103,8 @@ type Options struct {
 	OIDCConfig                     *OIDCConfig
 	PrometheusRegistry             *prometheus.Registry
 	SecureAuthCookie               bool
+	StrictTransportSecurityAge     int
+	StrictTransportSecurityOptions []string
 	SSHKeygenAlgorithm             gitsshkey.Algorithm
 	Telemetry                      telemetry.Reporter
 	TracerProvider                 trace.TracerProvider
@@ -222,6 +224,15 @@ func New(options *Options) *API {
 		options.MetricsCacheRefreshInterval,
 	)
 
+	staticHandler := site.Handler(site.FS(), binFS, binHashes)
+	// Static file handler must be wrapped with HSTS handler if the
+	// StrictTransportSecurityAge is set. We only need to set this header on
+	// static files since it only affects browsers.
+	staticHandler, err = httpmw.HSTS(staticHandler, options.StrictTransportSecurityAge, options.StrictTransportSecurityOptions)
+	if err != nil {
+		panic(xerrors.Errorf("coderd: setting hsts header failed (options: %v): %w", options.StrictTransportSecurityOptions, err))
+	}
+
 	r := chi.NewRouter()
 	api := &API{
 		ID:          uuid.New(),
diff --git a/coderd/httpmw/hsts.go b/coderd/httpmw/hsts.go
@@ -0,0 +1,58 @@
+package httpmw
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"golang.org/x/xerrors"
+)
+
+const (
+	hstsHeader = "Strict-Transport-Security"
+)
+
+// HSTS will add the strict-transport-security header if enabled. This header
+// forces a browser to always use https for the domain after it loads https once.
+// Meaning: On first load of product.coder.com, they are redirected to https. On
+// all subsequent loads, the client's local browser forces https. This prevents
+// man in the middle.
+//
+// This header only makes sense if the app is using tls.
+//
+// Full header example:
+// Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
+func HSTS(next http.Handler, maxAge int, options []string) (http.Handler, error) {
+	if maxAge <= 0 {
+		// No header, so no need to wrap the handler
+		return next, nil
+	}
+
+	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+	var str strings.Builder
+	_, err := str.WriteString(fmt.Sprintf("max-age=%d", maxAge))
+	if err != nil {
+		return nil, xerrors.Errorf("hsts: write max-age: %w", err)
+	}
+
+	for _, option := range options {
+		switch {
+		// Only allow valid options and fix any casing mistakes
+		case strings.EqualFold(option, "includeSubDomains"):
+			option = "includeSubDomains"
+		case strings.EqualFold(option, "preload"):
+			option = "preload"
+		default:
+			return nil, xerrors.Errorf("hsts: invalid option: %q. Must be 'preload' and/or 'includeSubDomains'", option)
+		}
+		_, err = str.WriteString("; " + option)
+		if err != nil {
+			return nil, xerrors.Errorf("hsts: write option: %w", err)
+		}
+	}
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set(hstsHeader, str.String())
+		next.ServeHTTP(w, r)
+	}), nil
+}
diff --git a/coderd/httpmw/hsts_test.go b/coderd/httpmw/hsts_test.go
@@ -0,0 +1,100 @@
+package httpmw_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/coder/coder/coderd/httpmw"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestHSTS(t *testing.T) {
+	tests := []struct {
+		Name    string
+		MaxAge  int
+		Options []string
+
+		wantErr      bool
+		expectHeader string
+	}{
+		{
+			Name:    "Empty",
+			MaxAge:  0,
+			Options: nil,
+		},
+		{
+			Name:    "NoAge",
+			MaxAge:  0,
+			Options: []string{"includeSubDomains"},
+		},
+		{
+			Name:    "NegativeAge",
+			MaxAge:  -100,
+			Options: []string{"includeSubDomains"},
+		},
+		{
+			Name:         "Age",
+			MaxAge:       1000,
+			Options:      []string{},
+			expectHeader: "max-age=1000",
+		},
+		{
+			Name:   "AgeSubDomains",
+			MaxAge: 1000,
+			// Mess with casing
+			Options:      []string{"INCLUDESUBDOMAINS"},
+			expectHeader: "max-age=1000; includeSubDomains",
+		},
+		{
+			Name:         "AgePreload",
+			MaxAge:       1000,
+			Options:      []string{"Preload"},
+			expectHeader: "max-age=1000; preload",
+		},
+		{
+			Name:         "AllOptions",
+			MaxAge:       1000,
+			Options:      []string{"preload", "includeSubDomains"},
+			expectHeader: "max-age=1000; preload; includeSubDomains",
+		},
+
+		// Error values
+		{
+			Name:    "BadOption",
+			MaxAge:  100,
+			Options: []string{"not-valid"},
+			wantErr: true,
+		},
+		{
+			Name:    "BadOptions",
+			MaxAge:  100,
+			Options: []string{"includeSubDomains", "not-valid", "still-not-valid"},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.Name, func(t *testing.T) {
+			t.Parallel()
+
+			handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			})
+
+			got, err := httpmw.HSTS(handler, tt.MaxAge, tt.Options)
+			if tt.wantErr {
+				require.Error(t, err, "Expect error, HSTS(%v, %v)", tt.MaxAge, tt.Options)
+				return
+			}
+
+			require.NoError(t, err, "Expect no error, HSTS(%v, %v)", tt.MaxAge, tt.Options)
+			req := httptest.NewRequest("GET", "/", nil)
+			res := httptest.NewRecorder()
+
+			got.ServeHTTP(res, req)
+			require.Equal(t, tt.expectHeader, res.Header().Get("Strict-Transport-Security"), "expected header value")
+		})
+	}
+}
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -126,6 +126,8 @@ type DeploymentConfig struct {
 	TLS                             *TLSConfig                              `json:"tls" typescript:",notnull"`
 	Trace                           *TraceConfig                            `json:"trace" typescript:",notnull"`
 	SecureAuthCookie                *DeploymentConfigField[bool]            `json:"secure_auth_cookie" typescript:",notnull"`
+	StrictTransportSecurity         *DeploymentConfigField[int]             `json:"strict_transport_security" typescript:",notnull"`
+	StrictTransportSecurityOptions  *DeploymentConfigField[[]string]        `json:"strict_transport_security_options" typescript:",notnull"`
 	SSHKeygenAlgorithm              *DeploymentConfigField[string]          `json:"ssh_keygen_algorithm" typescript:",notnull"`
 	MetricsCacheRefreshInterval     *DeploymentConfigField[time.Duration]   `json:"metrics_cache_refresh_interval" typescript:",notnull"`
 	AgentStatRefreshInterval        *DeploymentConfigField[time.Duration]   `json:"agent_stat_refresh_interval" typescript:",notnull"`
