prosody-modules
9d88c3d9eea5
mod_strict_https/mod_strict_https.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

File

mod_strict_https/mod_strict_https.lua @ 6281:9d88c3d9eea5

mod_http_oauth2: Enforce the registered grant types Thus a client can limit itself to certain grant types. Not sure if this prevents any attacks, but what was the point of including this in the registration if it was not going to be enforced? This became easier to do with client_id being available earlier.
author Kim Alvefur <zash@zash.se>
date Mon, 02 Jun 2025 20:55:20 +0200
parent 5415:f8797e3284ff
line wrap: on
line source

-- HTTP Strict Transport Security
-- https://www.rfc-editor.org/info/rfc6797

module:set_global();

local http_server = require "net.http.server";

local hsts_header = module:get_option_string("hsts_header", "max-age=31556952"); -- This means "Don't even try to access without HTTPS for a year"
local redirect = module:get_option_boolean("hsts_redirect", true);

module:wrap_object_event(http_server._events, false, function(handlers, event_name, event_data)
	local request, response = event_data.request, event_data.response;
	if request and response then
		if request.secure then
			response.headers.strict_transport_security = hsts_header;
		elseif redirect then
			-- This won't get the port number right
			response.headers.location = "https://" .. request.host .. request.path .. (request.query and "?" .. request.query or "");
			return 301;
		end
	end
	return handlers(event_name, event_data);
end);