From ceda26b284c7a6bfbac96d0e4fd20de0440a4f82 Mon Sep 17 00:00:00 2001
From: Sumeng Wang <sumengwang@google.com>
Date: Fri, 4 Aug 2023 10:05:19 -0700
Subject: [PATCH] let hsts use settings from cdap config

add hsts settings to cdap.json

add root flag

nit

change max age

fix type
---
 server/config/development/cdap.json |  6 +++++-
 server/express.js                   | 14 ++++++++++----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/server/config/development/cdap.json b/server/config/development/cdap.json
index a61438c156c..a8fd10b4487 100644
--- a/server/config/development/cdap.json
+++ b/server/config/development/cdap.json
@@ -16,5 +16,9 @@
   "session.secret.key": "sample-secret-key-for-encryption",
   "feature.lifecycle.management.edit.enabled": "true",
   "ui.analyticsTag": "",
-  "ui.GTM": ""
+  "ui.GTM": "",
+  "hsts.enabled": "false",
+  "hsts.max.age": 31536000,
+  "hsts.include.sub.domains": "true",
+  "hsts.preload": "true"
 }
diff --git a/server/express.js b/server/express.js
index f0693b16f4a..ab1ff16313a 100644
--- a/server/express.js
+++ b/server/express.js
@@ -136,6 +136,11 @@ function makeApp(authAddress, cdapConfig, uiSettings) {
 
   if (!isModeDevelopment()) {
     const proxyBaseUrl = cdapConfig['dashboard.proxy.base.url'];
+    const hstsSettings = {
+       maxAge: parseInt(cdapConfig["hsts.max.age"]),
+       includeSubDomains: cdapConfig["hsts.include.sub.domains"] === 'true',
+       preload: cdapConfig["hsts.preload"] === 'true',
+    }
     let cspWhiteListUrls = [];
     if (proxyBaseUrl) {
       cspWhiteListUrls.push(proxyBaseUrl);
@@ -181,10 +186,7 @@ function makeApp(authAddress, cdapConfig, uiSettings) {
             reportUri: `https://csp.withgoogle.com/csp/cdap`,
           },
         },
-        hsts: {
-          includeSubDomains: true,
-          preload: true,
-        },
+        hsts: cdapConfig["hsts.enabled"] === 'true' && hstsSettings,
         // Hub icons are cross-origin but don't supply CORS headers
         // TODO credentialless will also work but isn't supported by FF and Safari
         crossOriginEmbedderPolicy: false
@@ -239,6 +241,10 @@ function makeApp(authAddress, cdapConfig, uiSettings) {
         ui: uiSettings['ui'],
         k8sWorkloadIdentityEnabled: cdapConfig['master.environment.k8s.workload.identity.enabled'],
         namespaceCreationHookEnabled: cdapConfig['namespaces.creation.hook.enabled'],
+        hstsEnabled: cdapConfig['hsts.enabled'],
+        hstsMaxAge: cdapConfig['hsts.max.age'],
+        hstsIncludeSubDomains: cdapConfig['hsts.include.sub.domains'],
+        hstsPreload: cdapConfig['hsts.preload'],
       },
       hydrator: {
         previewEnabled: cdapConfig['enable.preview'] === 'true',