Enforce HTTPS on godoc.org #325
Conversation
Redirect HTTP links to HTTPS and set HSTS correctly. This is specific to the godoc.org set up (with nginx passing a X-Scheme header back) and without fixing up api.godoc.org. Fixes #304.
|
We found a Contributor License Agreement for you (the sender of this pull request) and all commit authors, but as best as we can tell these commits were authored by someone else. If that's the case, please add them to this pull request and have them confirm that they're okay with these commits being contributed to Google. If we're mistaken and you did author these commits, just reply here to confirm. |
| if host == "godoc.org" { | ||
| // Because https is not used api.godoc.org, the includeSubDomains | ||
| // parameter is not used here. | ||
| resp.Header().Add("Strict-Transport-Security", "max-age=631138519; preload") |
There was a problem hiding this comment.
Put this after the following if block (don't set the HSTS header on HTTP requests).
There was a problem hiding this comment.
Hey @agl does this header look right to you? I'm concerned about the length of the timeout. What's the best practice?
There was a problem hiding this comment.
I moved the code after the if block.
There was a problem hiding this comment.
- Merge httpsEnforcerHandler and hostMux handlers to rootHandler. - Set host name in redirect. - Strip port when comparing host names. - Do not set includeSubdomains parameter in HSTS header as api.godoc.org is not served via http.
Fixes #304.