coder · f0ssel · Mar 31, 2022 · Mar 30, 2022 · Mar 30, 2022 · Mar 30, 2022
diff --git a/cli/start.go b/cli/start.go
@@ -47,15 +47,17 @@ func start() *cobra.Command {
 		dev         bool
 		postgresURL string
 		// provisionerDaemonCount is a uint8 to ensure a number > 0.
-		provisionerDaemonCount uint8
-		tlsCertFile            string
-		tlsClientCAFile        string
-		tlsClientAuth          string
-		tlsEnable              bool
-		tlsKeyFile             string
-		tlsMinVersion          string
-		useTunnel              bool
-		traceDatadog           bool
+		provisionerDaemonCount  uint8
+		tlsCertFile             string
+		tlsClientCAFile         string
+		tlsClientAuth           string
+		tlsEnable               bool
+		tlsKeyFile              string
+		tlsMinVersion           string
+		useTunnel               bool
+		traceDatadog            bool
+		strictTransportSecurity bool
+		secureAuthCookie        bool
 	)
 	root := &cobra.Command{
 		Use: "start",
@@ -127,11 +129,13 @@ func start() *cobra.Command {
 			}
 			logger := slog.Make(sloghuman.Sink(os.Stderr))
 			options := &coderd.Options{
-				AccessURL:            accessURLParsed,
-				Logger:               logger.Named("coderd"),
-				Database:             databasefake.New(),
-				Pubsub:               database.NewPubsubInMemory(),
-				GoogleTokenValidator: validator,
+				AccessURL:               accessURLParsed,
+				Logger:                  logger.Named("coderd"),
+				Database:                databasefake.New(),
+				Pubsub:                  database.NewPubsubInMemory(),
+				GoogleTokenValidator:    validator,
+				StrictTransportSecurity: strictTransportSecurity,
+				SecureAuthCookie:        secureAuthCookie,
 			}
 
 			if !dev {
@@ -334,6 +338,8 @@ func start() *cobra.Command {
 	cliflag.BoolVarP(root.Flags(), &useTunnel, "tunnel", "", "CODER_DEV_TUNNEL", true, "Serve dev mode through a Cloudflare Tunnel for easy setup")
 	_ = root.Flags().MarkHidden("tunnel")
 	cliflag.BoolVarP(root.Flags(), &traceDatadog, "trace-datadog", "", "CODER_TRACE_DATADOG", false, "Send tracing data to a datadog agent")
+	cliflag.BoolVarP(root.Flags(), &strictTransportSecurity, "strict-transport-security", "", "CODER_STRICT_TRANSPORT_SECURITY", false, `Specifies if the "strict-transport-security" header is set on http responses`)
+	cliflag.BoolVarP(root.Flags(), &secureAuthCookie, "secure-auth-cookie", "", "CODER_SECURE_AUTH_COOKIE", false, "Specifies if the 'Secure' property is set on browser session cookies")
 
 	return root
 }

diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -29,6 +29,9 @@ type Options struct {
 
 	AWSCertificates      awsidentity.Certificates
 	GoogleTokenValidator *idtoken.Validator
+
+	StrictTransportSecurity bool
+	SecureAuthCookie        bool
 }
 
 // New constructs the Coder API into an HTTP handler.
@@ -45,7 +48,10 @@ func New(options *Options) (http.Handler, func()) {
 
 	r := chi.NewRouter()
 	r.Route("/api/v2", func(r chi.Router) {
-		r.Use(chitrace.Middleware())
+		r.Use(
+			chitrace.Middleware(),
+			httpmw.StrictTransportSecurity(api.StrictTransportSecurity),
+		)
 		r.Get("/", func(w http.ResponseWriter, r *http.Request) {
 			httpapi.Write(w, http.StatusOK, httpapi.Response{
 				Message: "👋",

diff --git a/coderd/httpmw/stricttransportsecurity.go b/coderd/httpmw/stricttransportsecurity.go
@@ -0,0 +1,30 @@
+package httpmw
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+)
+
+// StrictTransportSecurity will add the strict-transport-security header if enabled.
+// This header forces a browser to always use https for the domain after it loads https
+// once.
+// Meaning: On first load of product.coder.com, they are redirected to https.
+// 		On all subsequent loads, the client's local browser forces https. This prevents man in the middle.
+//
+// This header only makes sense if the app is using tls.
+// Full header example
+//	Strict-Transport-Security: max-age=63072000;
+// nolint:revive
+func StrictTransportSecurity(enable bool) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			if enable {
+				age := time.Hour * 24 * 365 // 1 year
+				rw.Header().Set("Strict-Transport-Security", fmt.Sprintf("max-age=%d", int64(age.Seconds())))
+			}
+
+			next.ServeHTTP(rw, r)
+		})
+	}
+}
diff --git a/coderd/httpmw/stricttransportsecurity_test.go b/coderd/httpmw/stricttransportsecurity_test.go
@@ -0,0 +1,50 @@
+package httpmw_test
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd/httpmw"
+)
+
+func TestStrictTransportSecurity(t *testing.T) {
+	t.Parallel()
+
+	strictTransportSecurityHeader := "Strict-Transport-Security"
+	strictTransportSecurityMaxAge := time.Hour * 24 * 365
+
+	setup := func(enable bool) *http.Response {
+		rw := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/", nil)
+
+		rtr := chi.NewRouter()
+		rtr.Use(httpmw.StrictTransportSecurity(enable))
+		rtr.Get("/", func(w http.ResponseWriter, r *http.Request) {
+			_, _ = w.Write([]byte("hello!"))
+		})
+		rtr.ServeHTTP(rw, r)
+		return rw.Result()
+	}
+
+	t.Run("True", func(t *testing.T) {
+		t.Parallel()
+
+		res := setup(true)
+		defer res.Body.Close()
+		require.Contains(t, res.Header.Get(strictTransportSecurityHeader), fmt.Sprintf("max-age=%d", int64(strictTransportSecurityMaxAge.Seconds())))
+	})
+	t.Run("False", func(t *testing.T) {
+		t.Parallel()
+
+		res := setup(false)
+		defer res.Body.Close()
+		require.NotContains(t, res.Header.Get(strictTransportSecurityHeader), fmt.Sprintf("max-age=%d", int64(strictTransportSecurityMaxAge.Seconds())))
+		require.Equal(t, res.Header.Get(strictTransportSecurityHeader), "")
+	})
+}
diff --git a/coderd/users.go b/coderd/users.go
@@ -417,6 +417,7 @@ func (api *api) postLogin(rw http.ResponseWriter, r *http.Request) {
 		Path:     "/",
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
+		Secure:   api.SecureAuthCookie,
 	})
 
 	render.Status(r, http.StatusCreated)