Support HTTP Strict Transport Security

Summary: Ref T4340. The attack this prevents is: - An adversary penetrates your network. They acquire one of two capabilities: - Your server is either configured to accept both HTTP and HTTPS, and they acquire the capability to observe HTTP traffic. - Or your server is configured to accept only HTTPS, and they acquire the capability to control DNS or routing. In this case, they start a proxy server to expose your secure service over HTTP. - They send you a link to `http://secure.service.com` (note HTTP, not HTTPS!) - You click it since everything looks fine and the domain is correct, not noticing that the "s" is missing. - They read your traffic. This is similar to attacks where `https://good.service.com` is proxied to `https://good.sorvace.com` (i.e., a similar looking domain), but can be more dangerous -- for example, the browser will send (non-SSL-only) cookies and the attacker can write cookies. This header instructs browsers that they can never access the site over HTTP and must always use HTTPS, defusing this class of attack. Test Plan: - Configured HTTPS locally. - Accessed site over HTTP (got application redirect) and HTTPS. - Enabled HSTS. - Accessed site over HTTPS (to set HSTS). - Tore down HTTPS part of the server and tried to load the site over HTTP. Browser refused to load "http://" and automatically tried to load "https://". In another browser which had not received the "HSTS" header, loading over HTTP worked fine. - Brought the HTTPS server back up, things worked fine. - Turned off the HSTS config setting. - Loaded a page (to set HSTS with expires 0, diabling it). - Tore down the HTTPS part of the server again. - Tried to load HTTP. - Now it worked. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4340 Differential Revision: https://secure.phabricator.com/D11820
2024-09-20 09:18:48 +02:00 · 2015-02-19 10:33:48 -08:00 · 2015-02-19 10:33:48 -08:00 · 751ffe123d
commit 751ffe123d
parent 35c55f7ddf
2 changed files with 38 additions and 0 deletions
--- a/src/aphront/response/AphrontResponse.php
+++ b/src/aphront/response/AphrontResponse.php
@ -24,6 +24,24 @@ abstract class AphrontResponse {
      $headers[] = array('X-Frame-Options', 'Deny');
    }

+    if ($this->getRequest() && $this->getRequest()->isHTTPS()) {
+      $hsts_key = 'security.strict-transport-security';
+      $use_hsts = PhabricatorEnv::getEnvConfig($hsts_key);
+      if ($use_hsts) {
+        $duration = phutil_units('365 days in seconds');
+      } else {
+        // If HSTS has been disabled, tell browsers to turn it off. This may
+        // not be effective because we can only disable it over a valid HTTPS
+        // connection, but it best represents the configured intent.
+        $duration = 0;
+      }
+
+      $headers[] = array(
+        'Strict-Transport-Security',
+        "max-age={$duration}; includeSubdomains; preload",
+      );
+    }
+
    return $headers;
  }

--- a/src/applications/config/option/PhabricatorSecurityConfigOptions.php
+++ b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
@ -223,6 +223,26 @@ final class PhabricatorSecurityConfigOptions
            pht(
              'If you enable this, you are allowing Phabricator to '.
              'potentially make requests to external servers.')),
+        $this->newOption('security.strict-transport-security', 'bool', false)
+          ->setLocked(true)
+          ->setBoolOptions(
+            array(
+              pht('Use HSTS'),
+              pht('Do Not Use HSTS'),
+            ))
+          ->setSummary(pht('Enable HTTP Strict Transport Security (HSTS).'))
+          ->setDescription(
+            pht(
+              'HTTP Strict Transport Security (HSTS) sends a header which '.
+              'instructs browsers that the site should only be accessed '.
+              'over HTTPS, never HTTP. This defuses an attack where an '.
+              'adversary gains access to your network, then proxies requests '.
+              'through an unsecured link.'.
+              "\n\n".
+              'Do not enable this option if you serve (or plan to ever serve) '.
+              'unsecured content over plain HTTP. It is very difficult to '.
+              'undo this change once users browsers have accepted the '.
+              'setting.')),
        $this->newOption('security.allow-conduit-act-as-user', 'bool', false)
          ->setBoolOptions(
            array(