feat: Add option to enable hsts header (#6147)

* feat: Add option to enable hsts header * Update golden files
2025-07-03 16:13:58 +00:00 · 2023-02-10 10:52:49 -06:00
parent 77afdf71dc
commit 6189035e98
13 changed files with 287 additions and 1 deletions
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@ -103,6 +103,7 @@ type Options struct {
 	OIDCConfig                     *OIDCConfig
 	PrometheusRegistry             *prometheus.Registry
 	SecureAuthCookie               bool
+	StrictTransportSecurityCfg     httpmw.HSTSConfig
 	SSHKeygenAlgorithm             gitsshkey.Algorithm
 	Telemetry                      telemetry.Reporter
 	TracerProvider                 trace.TracerProvider
@ -222,12 +223,18 @@ func New(options *Options) *API {
 		options.MetricsCacheRefreshInterval,
 	)

+	staticHandler := site.Handler(site.FS(), binFS, binHashes)
+	// Static file handler must be wrapped with HSTS handler if the
+	// StrictTransportSecurityAge is set. We only need to set this header on
+	// static files since it only affects browsers.
+	staticHandler = httpmw.HSTS(staticHandler, options.StrictTransportSecurityCfg)
+
 	r := chi.NewRouter()
 	api := &API{
 		ID:          uuid.New(),
 		Options:     options,
 		RootHandler: r,
-		siteHandler: site.Handler(site.FS(), binFS, binHashes),
+		siteHandler: staticHandler,
 		HTTPAuth: &HTTPAuthorizer{
 			Authorizer: options.Authorizer,
 			Logger:     options.Logger,