coder
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 0 additions & 3 deletions b/‎.github/workflows/ci.yaml
Lines changed: 0 additions & 3 deletions
diff --git a/‎cli/deployment/config.go
Lines changed: 14 additions & 0 deletions b/‎cli/deployment/config.go
Lines changed: 14 additions & 0 deletions
diff --git a/‎cli/server.go
Lines changed: 7 additions & 0 deletions b/‎cli/server.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 17 additions & 0 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 17 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 6 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 6 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 19 additions & 1 deletion b/‎coderd/coderd.go
Lines changed: 19 additions & 1 deletion
diff --git a/‎coderd/database/dbfake/databasefake.go
Lines changed: 18 additions & 7 deletions b/‎coderd/database/dbfake/databasefake.go
Lines changed: 18 additions & 7 deletions
diff --git a/‎coderd/httpmw/hsts.go
Lines changed: 72 additions & 0 deletions b/‎coderd/httpmw/hsts.go
Lines changed: 72 additions & 0 deletions
diff --git a/‎coderd/httpmw/hsts_test.go
Lines changed: 103 additions & 0 deletions b/‎coderd/httpmw/hsts_test.go
Lines changed: 103 additions & 0 deletions
@@ -583,9 +583,6 @@ jobs:
       - run: yarn playwright:install
         working-directory: site
 
-      - run: yarn playwright:install-deps
-        working-directory: site
-
       - run: yarn playwright:test
         env:
           DEBUG: pw:api
 
@@ -374,6 +374,20 @@ func newConfig() *codersdk.DeploymentConfig {
 			Usage: "Controls if the 'Secure' property is set on browser session cookies.",
 			Flag:  "secure-auth-cookie",
 		},
+		StrictTransportSecurity: &codersdk.DeploymentConfigField[int]{
+			Name: "Strict-Transport-Security",
+			Usage: "Controls if the 'Strict-Transport-Security' header is set on all static file responses. " +
+				"This header should only be set if the server is accessed via HTTPS. This value is the MaxAge in seconds of " +
+				"the header.",
+			Default: 0,
+			Flag:    "strict-transport-security",
+		},
+		StrictTransportSecurityOptions: &codersdk.DeploymentConfigField[[]string]{
+			Name: "Strict-Transport-Security Options",
+			Usage: "Two optional fields can be set in the Strict-Transport-Security header; 'includeSubDomains' and 'preload'. " +
+				"The 'strict-transport-security' flag must be set to a non-zero value for these options to be used.",
+			Flag: "strict-transport-security-options",
+		},
 		SSHKeygenAlgorithm: &codersdk.DeploymentConfigField[string]{
 			Name:    "SSH Keygen Algorithm",
 			Usage:   "The algorithm to use for generating ssh keys. Accepted values are \"ed25519\", \"ecdsa\", or \"rsa4096\".",
 
@@ -485,6 +485,13 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
 				options.TLSCertificates = tlsConfig.Certificates
 			}
 
+			if cfg.StrictTransportSecurity.Value > 0 {
+				options.StrictTransportSecurityCfg, err = httpmw.HSTSConfigOptions(cfg.StrictTransportSecurity.Value, cfg.StrictTransportSecurityOptions.Value)
+				if err != nil {
+					return xerrors.Errorf("coderd: setting hsts header failed (options: %v): %w", cfg.StrictTransportSecurityOptions.Value, err)
+				}
+			}
+
 			if cfg.UpdateCheck.Value {
 				options.UpdateCheckOptions = &updatecheck.Options{
 					// Avoid spamming GitHub API checking for updates.
 
@@ -280,6 +280,23 @@ Flags:
                                                           "ed25519", "ecdsa", or "rsa4096".
                                                           Consumes $CODER_SSH_KEYGEN_ALGORITHM
                                                           (default "ed25519")
+      --strict-transport-security int                     Controls if the
+                                                          'Strict-Transport-Security' header
+                                                          is set on all static file responses.
+                                                          This header should only be set if
+                                                          the server is accessed via HTTPS.
+                                                          This value is the MaxAge in seconds
+                                                          of the header.
+                                                          Consumes $CODER_STRICT_TRANSPORT_SECURITY
+      --strict-transport-security-options strings         Two optional fields can be set in
+                                                          the Strict-Transport-Security
+                                                          header; 'includeSubDomains' and
+                                                          'preload'. The
+                                                          'strict-transport-security' flag
+                                                          must be set to a non-zero value for
+                                                          these options to be used.
+                                                          Consumes
+                                                          $CODER_STRICT_TRANSPORT_SECURITY_OPTIONS
       --swagger-enable                                    Expose the swagger endpoint via
                                                           /swagger.
                                                           Consumes $CODER_SWAGGER_ENABLE
 
@@ -104,6 +104,7 @@ type Options struct {
 	OIDCConfig                     *OIDCConfig
 	PrometheusRegistry             *prometheus.Registry
 	SecureAuthCookie               bool
+	StrictTransportSecurityCfg     httpmw.HSTSConfig
 	SSHKeygenAlgorithm             gitsshkey.Algorithm
 	Telemetry                      telemetry.Reporter
 	TracerProvider                 trace.TracerProvider
@@ -224,12 +225,22 @@ func New(options *Options) *API {
 		options.MetricsCacheRefreshInterval,
 	)
 
+	staticHandler := site.Handler(site.FS(), binFS, binHashes)
+	// Static file handler must be wrapped with HSTS handler if the
+	// StrictTransportSecurityAge is set. We only need to set this header on
+	// static files since it only affects browsers.
+	staticHandler = httpmw.HSTS(staticHandler, options.StrictTransportSecurityCfg)
+
 	r := chi.NewRouter()
+	ctx, cancel := context.WithCancel(context.Background())
 	api := &API{
+		ctx:    ctx,
+		cancel: cancel,
+
 		ID:          uuid.New(),
 		Options:     options,
 		RootHandler: r,
-		siteHandler: site.Handler(site.FS(), binFS, binHashes),
+		siteHandler: staticHandler,
 		HTTPAuth: &HTTPAuthorizer{
 			Authorizer: options.Authorizer,
 			Logger:     options.Logger,
@@ -675,6 +686,11 @@ func New(options *Options) *API {
 }
 
 type API struct {
+	// ctx is canceled immediately on shutdown, it can be used to abort
+	// interruptible tasks.
+	ctx    context.Context
+	cancel context.CancelFunc
+
 	*Options
 	// ID is a uniquely generated ID on initialization.
 	// This is used to associate objects with a specific
@@ -709,6 +725,8 @@ type API struct {
 
 // Close waits for all WebSocket connections to drain before returning.
 func (api *API) Close() error {
+	api.cancel()
+
 	api.WebsocketWaitMutex.Lock()
 	api.WebsocketWaitGroup.Wait()
 	api.WebsocketWaitMutex.Unlock()
 
@@ -370,26 +370,29 @@ func (q *fakeQuerier) GetTemplateAverageBuildTime(ctx context.Context, arg datab
 		stopTimes   []float64
 		deleteTimes []float64
 	)
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
 	for _, wb := range q.workspaceBuilds {
-		version, err := q.GetTemplateVersionByID(ctx, wb.TemplateVersionID)
+		version, err := q.getTemplateVersionByIDNoLock(ctx, wb.TemplateVersionID)
 		if err != nil {
 			return emptyRow, err
 		}
 		if version.TemplateID != arg.TemplateID {
 			continue
 		}
 
-		job, err := q.GetProvisionerJobByID(ctx, wb.JobID)
+		job, err := q.getProvisionerJobByIDNoLock(ctx, wb.JobID)
 		if err != nil {
 			return emptyRow, err
 		}
 		if job.CompletedAt.Valid {
 			took := job.CompletedAt.Time.Sub(job.StartedAt.Time).Seconds()
-			if wb.Transition == database.WorkspaceTransitionStart {
+			switch wb.Transition {
+			case database.WorkspaceTransitionStart:
 				startTimes = append(startTimes, took)
-			} else if wb.Transition == database.WorkspaceTransitionStop {
+			case database.WorkspaceTransitionStop:
 				stopTimes = append(stopTimes, took)
-			} else if wb.Transition == database.WorkspaceTransitionDelete {
+			case database.WorkspaceTransitionDelete:
 				deleteTimes = append(deleteTimes, took)
 			}
 		}
@@ -1838,10 +1841,14 @@ func (q *fakeQuerier) GetTemplateVersionParameters(_ context.Context, templateVe
 	return parameters, nil
 }
 
-func (q *fakeQuerier) GetTemplateVersionByID(_ context.Context, templateVersionID uuid.UUID) (database.TemplateVersion, error) {
+func (q *fakeQuerier) GetTemplateVersionByID(ctx context.Context, templateVersionID uuid.UUID) (database.TemplateVersion, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
 
+	return q.getTemplateVersionByIDNoLock(ctx, templateVersionID)
+}
+
+func (q *fakeQuerier) getTemplateVersionByIDNoLock(_ context.Context, templateVersionID uuid.UUID) (database.TemplateVersion, error) {
 	for _, templateVersion := range q.templateVersions {
 		if templateVersion.ID != templateVersionID {
 			continue
@@ -2273,10 +2280,14 @@ func (q *fakeQuerier) GetWorkspaceAppByAgentIDAndSlug(_ context.Context, arg dat
 	return database.WorkspaceApp{}, sql.ErrNoRows
 }
 
-func (q *fakeQuerier) GetProvisionerJobByID(_ context.Context, id uuid.UUID) (database.ProvisionerJob, error) {
+func (q *fakeQuerier) GetProvisionerJobByID(ctx context.Context, id uuid.UUID) (database.ProvisionerJob, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
 
+	return q.getProvisionerJobByIDNoLock(ctx, id)
+}
+
+func (q *fakeQuerier) getProvisionerJobByIDNoLock(_ context.Context, id uuid.UUID) (database.ProvisionerJob, error) {
 	for _, provisionerJob := range q.provisionerJobs {
 		if provisionerJob.ID != id {
 			continue
 
@@ -0,0 +1,72 @@
+package httpmw
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"golang.org/x/xerrors"
+)
+
+const (
+	hstsHeader = "Strict-Transport-Security"
+)
+
+type HSTSConfig struct {
+	// HeaderValue is an empty string if hsts header is disabled.
+	HeaderValue string
+}
+
+func HSTSConfigOptions(maxAge int, options []string) (HSTSConfig, error) {
+	if maxAge <= 0 {
+		// No header, so no need to build the header string.
+		return HSTSConfig{}, nil
+	}
+
+	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+	var str strings.Builder
+	_, err := str.WriteString(fmt.Sprintf("max-age=%d", maxAge))
+	if err != nil {
+		return HSTSConfig{}, xerrors.Errorf("hsts: write max-age: %w", err)
+	}
+
+	for _, option := range options {
+		switch {
+		// Only allow valid options and fix any casing mistakes
+		case strings.EqualFold(option, "includeSubDomains"):
+			option = "includeSubDomains"
+		case strings.EqualFold(option, "preload"):
+			option = "preload"
+		default:
+			return HSTSConfig{}, xerrors.Errorf("hsts: invalid option: %q. Must be 'preload' and/or 'includeSubDomains'", option)
+		}
+		_, err = str.WriteString("; " + option)
+		if err != nil {
+			return HSTSConfig{}, xerrors.Errorf("hsts: write option: %w", err)
+		}
+	}
+	return HSTSConfig{
+		HeaderValue: str.String(),
+	}, nil
+}
+
+// HSTS will add the strict-transport-security header if enabled. This header
+// forces a browser to always use https for the domain after it loads https once.
+// Meaning: On first load of product.coder.com, they are redirected to https. On
+// all subsequent loads, the client's local browser forces https. This prevents
+// man in the middle.
+//
+// This header only makes sense if the app is using tls.
+//
+// Full header example:
+// Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
+func HSTS(next http.Handler, cfg HSTSConfig) http.Handler {
+	if cfg.HeaderValue == "" {
+		// No header, so no need to wrap the handler.
+		return next
+	}
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set(hstsHeader, cfg.HeaderValue)
+		next.ServeHTTP(w, r)
+	})
+}
@@ -0,0 +1,103 @@
+package httpmw_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd/httpmw"
+)
+
+func TestHSTS(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		Name    string
+		MaxAge  int
+		Options []string
+
+		wantErr      bool
+		expectHeader string
+	}{
+		{
+			Name:    "Empty",
+			MaxAge:  0,
+			Options: nil,
+		},
+		{
+			Name:    "NoAge",
+			MaxAge:  0,
+			Options: []string{"includeSubDomains"},
+		},
+		{
+			Name:    "NegativeAge",
+			MaxAge:  -100,
+			Options: []string{"includeSubDomains"},
+		},
+		{
+			Name:         "Age",
+			MaxAge:       1000,
+			Options:      []string{},
+			expectHeader: "max-age=1000",
+		},
+		{
+			Name:   "AgeSubDomains",
+			MaxAge: 1000,
+			// Mess with casing
+			Options:      []string{"INCLUDESUBDOMAINS"},
+			expectHeader: "max-age=1000; includeSubDomains",
+		},
+		{
+			Name:         "AgePreload",
+			MaxAge:       1000,
+			Options:      []string{"Preload"},
+			expectHeader: "max-age=1000; preload",
+		},
+		{
+			Name:         "AllOptions",
+			MaxAge:       1000,
+			Options:      []string{"preload", "includeSubDomains"},
+			expectHeader: "max-age=1000; preload; includeSubDomains",
+		},
+
+		// Error values
+		{
+			Name:    "BadOption",
+			MaxAge:  100,
+			Options: []string{"not-valid"},
+			wantErr: true,
+		},
+		{
+			Name:    "BadOptions",
+			MaxAge:  100,
+			Options: []string{"includeSubDomains", "not-valid", "still-not-valid"},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.Name, func(t *testing.T) {
+			t.Parallel()
+
+			handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			})
+
+			cfg, err := httpmw.HSTSConfigOptions(tt.MaxAge, tt.Options)
+			if tt.wantErr {
+				require.Error(t, err, "Expect error, HSTS(%v, %v)", tt.MaxAge, tt.Options)
+				return
+			}
+			require.NoError(t, err, "Expect no error, HSTS(%v, %v)", tt.MaxAge, tt.Options)
+
+			got := httpmw.HSTS(handler, cfg)
+			req := httptest.NewRequest("GET", "/", nil)
+			res := httptest.NewRecorder()
+			got.ServeHTTP(res, req)
+			
+			require.Equal(t, tt.expectHeader, res.Header().Get("Strict-Transport-Security"), "expected header value")
+		})
+	}
+}