FIX: Missing HSTS-header

gddo-server/main.go

@@ -989,6 +989,18 @@ func (s *server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	s.root.ServeHTTP(w, r)
 }
 
+const HSTSHeaderKey = "Strict-Transport-Security"
+
+func middlewareHSTS(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// This enforces the use of HTTPS for 1 year, including present and future subdomains.
+		// Chrome and Mozilla Firefox maintain an HSTS preload list
+		// that automatically informs the browser that the website can only be accessed through HTTPS.
+		w.Header().Set(HSTSHeaderKey, "max-age=31536000; includeSubDomains; preload")
+		next.ServeHTTP(w, r)
+	})
+}
+
 func main() {
 	ctx := context.Background()
 	v, err := loadConfig(ctx, os.Args)
@@ -1016,8 +1028,9 @@ func main() {
 			}
 		}
 	}()
-	http.Handle("/", s)
-	log.Fatal(http.ListenAndServe(s.v.GetString(ConfigBindAddress), s))
+	ss := middlewareHSTS(s)
+	http.Handle("/", ss)
+	log.Fatal(http.ListenAndServe(s.v.GetString(ConfigBindAddress), ss))
 }
 
 // removeInternal removes the internal packages from the given package

gddo-server/main_test.go

@@ -7,6 +7,9 @@
 package main
 
 import (
+	"io"
+	"net/http"
+	"net/http/httptest"
 	"reflect"
 	"testing"
 
@@ -111,3 +114,18 @@ func TestRemoveInternalPkgs(t *testing.T) {
 		})
 	}
 }
+
+func TestMiddlewareHSTS(t *testing.T) {
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	respRecorder := httptest.NewRecorder()
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		io.WriteString(w, "")
+	})
+	handlerWithMiddlewareHSTS := middlewareHSTS(handler)
+	handlerWithMiddlewareHSTS.ServeHTTP(respRecorder, req)
+	want := "max-age=31536000; includeSubDomains; preload"
+	got := respRecorder.Header().Get(HSTSHeaderKey)
+	if got != want {
+		t.Error("middlewareHSTS do not add HSTS header")
+	}
+}