view mod_strict_https/mod_strict_https.lua @ 6009:277ccafb4826

mod_http_oauth2: Fix check for userinfo endpoint handler It was checking whether the wrong handler exists. It could have made sense if there was some dependency between them but there isn't.
author Kim Alvefur <zash@zash.se>
date Thu, 31 Oct 2024 21:49:32 +0100
parents f8797e3284ff
children
line wrap: on
line source

-- HTTP Strict Transport Security
-- https://www.rfc-editor.org/info/rfc6797

module:set_global();

local http_server = require "net.http.server";

local hsts_header = module:get_option_string("hsts_header", "max-age=31556952"); -- This means "Don't even try to access without HTTPS for a year"
local redirect = module:get_option_boolean("hsts_redirect", true);

module:wrap_object_event(http_server._events, false, function(handlers, event_name, event_data)
	local request, response = event_data.request, event_data.response;
	if request and response then
		if request.secure then
			response.headers.strict_transport_security = hsts_header;
		elseif redirect then
			-- This won't get the port number right
			response.headers.location = "https://" .. request.host .. request.path .. (request.query and "?" .. request.query or "");
			return 301;
		end
	end
	return handlers(event_name, event_data);
end);