From 3ebcf1eebf4864fd65a31e104123fd113ed0379f Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Mon, 9 Sep 2024 18:28:53 +0200 Subject: [PATCH] Fixes #38432 - Add HSTS middleware This header is entirely useless for us because the header is aimed at browsers, but some scanners still think this is needed. Link: https://www.tenable.com/plugins/nessus/142960 --- lib/proxy/hsts_middleware.rb | 19 +++++++++++++++++++ lib/smart_proxy_main.rb | 2 ++ 2 files changed, 21 insertions(+) create mode 100644 lib/proxy/hsts_middleware.rb diff --git a/lib/proxy/hsts_middleware.rb b/lib/proxy/hsts_middleware.rb new file mode 100644 index 000000000..4b982deef --- /dev/null +++ b/lib/proxy/hsts_middleware.rb @@ -0,0 +1,19 @@ +module Proxy + # Add the HSTS header if not present. This header is entirely useless for us + # because the header is aimed at browsers, but some scanners still think this + # is needed. + # https://www.tenable.com/plugins/nessus/142960 + class HstsMiddleware + def initialize(app) + @app = app + end + + def call(env) + status, headers, body = @app.call(env) + if env['HTTPS'] == 'on' && !headers.include?('Strict-Transport-Security') + headers['Strict-Transport-Security'] = 'max-age=31536000' + end + [status, headers, body] + end + end +end diff --git a/lib/smart_proxy_main.rb b/lib/smart_proxy_main.rb index 40a84a1dc..581a07c6e 100644 --- a/lib/smart_proxy_main.rb +++ b/lib/smart_proxy_main.rb @@ -25,6 +25,7 @@ require 'proxy/error' require 'proxy/request' require 'proxy/request_id_middleware' +require 'proxy/hsts_middleware' require 'bundler_helper' Proxy::BundlerHelper.require_groups(:default) @@ -44,6 +45,7 @@ module Proxy ::Sinatra::Base.set :logging, false ::Sinatra::Base.use ::Proxy::RequestIdMiddleware ::Sinatra::Base.use ::Proxy::LoggerMiddleware + ::Sinatra::Base.use ::Proxy::HstsMiddleware ::Sinatra::Base.set :env, :production ::Sinatra::Base.register ::Sinatra::Authorization