Feature Request: Add HSTS HTTP header for security

[dswhite42]

When Qualys does a vulnerability scan on Goldfish, one of the vulns it reports is "Strict-Transport-Security HTTP Header missing". Could this be added?

Strict-Transport-Security "max-age=63072000; includeSubdomains;"

If I read the spec right, this should work both when GoldFish is running in HTTP mode (so the header is ignored) or HTTPS (where it does what it's supposed to).

Thanks!

[dswhite42]

I think this can be accomplished with the following change. (I'm running this locally now).

$ diff -u server/server.go.dist server/server.go
--- server/server.go.dist       2019-01-29 17:28:54.379518024 -0600
+++ server/server.go    2019-01-29 17:29:38.542969872 -0600
@@ -63,6 +63,7 @@
                        ContentTypeNosniff:    "nosniff",
                        XFrameOptions:         "SAMEORIGIN",
                        ContentSecurityPolicy: "default-src 'self' blob: https://api.github.com;",
+                       HSTSMaxAge:            31536000,
                }))
 
                // if auto-redirect is set, forward port 80 to port 443