view mod_strict_https/mod_strict_https.lua @ 6317:7b693a5539ad

mod_auth_http_async: Update documentation The required async APIs were included in 0.10.0, but at the time of this writing we only consider 0.12.x and later supported. The fallback sync API would have made it work with even earlier versions, but I don't remember specifically and it doesn't matter.
author Kim Alvefur <zash@zash.se>
date Tue, 02 Sep 2025 21:32:01 +0200
parents f8797e3284ff
children
line wrap: on
line source

-- HTTP Strict Transport Security
-- https://www.rfc-editor.org/info/rfc6797

module:set_global();

local http_server = require "net.http.server";

local hsts_header = module:get_option_string("hsts_header", "max-age=31556952"); -- This means "Don't even try to access without HTTPS for a year"
local redirect = module:get_option_boolean("hsts_redirect", true);

module:wrap_object_event(http_server._events, false, function(handlers, event_name, event_data)
	local request, response = event_data.request, event_data.response;
	if request and response then
		if request.secure then
			response.headers.strict_transport_security = hsts_header;
		elseif redirect then
			-- This won't get the port number right
			response.headers.location = "https://" .. request.host .. request.path .. (request.query and "?" .. request.query or "");
			return 301;
		end
	end
	return handlers(event_name, event_data);
end);