feat: Add HSTS and secure cookie options

f0ssel · f0ssel · commit d6c404cf90b0 · 2022-03-30T19:46:59.000Z
diff --git a/cli/start.go b/cli/start.go
@@ -56,6 +56,8 @@ func start() *cobra.Command {
 		tlsMinVersion          string
 		useTunnel              bool
 		traceDatadog           bool
+		hsts                   bool
+		secureCookie           bool
 	)
 	root := &cobra.Command{
 		Use: "start",
@@ -132,6 +134,8 @@ func start() *cobra.Command {
 				Database:             databasefake.New(),
 				Pubsub:               database.NewPubsubInMemory(),
 				GoogleTokenValidator: validator,
+				HSTS:                 hsts,
+				SecureCookie:         secureCookie,
 			}
 
 			if !dev {
@@ -334,6 +338,8 @@ func start() *cobra.Command {
 	cliflag.BoolVarP(root.Flags(), &useTunnel, "tunnel", "", "CODER_DEV_TUNNEL", true, "Serve dev mode through a Cloudflare Tunnel for easy setup")
 	_ = root.Flags().MarkHidden("tunnel")
 	cliflag.BoolVarP(root.Flags(), &traceDatadog, "trace-datadog", "", "CODER_TRACE_DATADOG", false, "Send tracing data to a datadog agent")
+	cliflag.BoolVarP(root.Flags(), &hsts, "hsts", "", "CODER_HSTS", false, "Set the 'strict-transport-security' header on http responses")
+	cliflag.BoolVarP(root.Flags(), &secureCookie, "secure-cookie", "", "CODER_SECURE_COOKIE", false, "Set the 'Secure' property on browser session cookies")
 
 	return root
 }
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -29,6 +29,9 @@ type Options struct {
 
 	AWSCertificates      awsidentity.Certificates
 	GoogleTokenValidator *idtoken.Validator
+
+	HSTS         bool
+	SecureCookie bool
 }
 
 // New constructs the Coder API into an HTTP handler.
@@ -45,7 +48,10 @@ func New(options *Options) (http.Handler, func()) {
 
 	r := chi.NewRouter()
 	r.Route("/api/v2", func(r chi.Router) {
-		r.Use(chitrace.Middleware())
+		r.Use(
+			chitrace.Middleware(),
+			httpmw.HSTS(api.HSTS),
+		)
 		r.Get("/", func(w http.ResponseWriter, r *http.Request) {
 			httpapi.Write(w, http.StatusOK, httpapi.Response{
 				Message: "👋",
diff --git a/coderd/httpmw/hsts.go b/coderd/httpmw/hsts.go
@@ -0,0 +1,33 @@
+package httpmw
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+)
+
+const (
+	HSTSHeader = "Strict-Transport-Security"
+	HSTSMaxAge = time.Hour * 24 * 365 // 1 year
+)
+
+// HSTS will add the strict-transport-security header if enabled.
+// This header forces a browser to always use https for the domain after it loads https
+// once.
+// Meaning: On first load of product.coder.com, they are redirected to https.
+// 		On all subsequent loads, the client's local browser forces https. This prevents man in the middle.
+//
+// This header only makes sense if the app is using tls.
+// Full header example
+//	Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
+func HSTS(hsts bool) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if hsts {
+				w.Header().Set(HSTSHeader, fmt.Sprintf("max-age=%d", int64(HSTSMaxAge)))
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
diff --git a/coderd/httpmw/hsts_test.go b/coderd/httpmw/hsts_test.go
@@ -0,0 +1,43 @@
+package httpmw_test
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/coder/coder/coderd/httpmw"
+	"github.com/go-chi/chi/v5"
+	"github.com/stretchr/testify/require"
+)
+
+func TestHSTS(t *testing.T) {
+	t.Parallel()
+	setup := func(hsts bool) *http.Response {
+		rw := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/", nil)
+
+		rtr := chi.NewRouter()
+		rtr.Use(httpmw.HSTS(hsts))
+		rtr.Get("/", func(w http.ResponseWriter, r *http.Request) {
+			_, _ = w.Write([]byte("hello!"))
+		})
+		rtr.ServeHTTP(rw, r)
+		res := rw.Result()
+		defer res.Body.Close()
+		return res
+	}
+
+	t.Run("True", func(t *testing.T) {
+		t.Parallel()
+
+		res := setup(true)
+		require.Contains(t, res.Header.Get(httpmw.HSTSHeader), fmt.Sprintf("max-age=%d", int64(httpmw.HSTSMaxAge)))
+	})
+	t.Run("False", func(t *testing.T) {
+		t.Parallel()
+
+		res := setup(false)
+		require.NotContains(t, res.Header.Get(httpmw.HSTSHeader), fmt.Sprintf("max-age=%d", int64(httpmw.HSTSMaxAge)))
+	})
+}
diff --git a/coderd/users.go b/coderd/users.go
@@ -417,6 +417,7 @@ func (api *api) postLogin(rw http.ResponseWriter, r *http.Request) {
 		Path:     "/",
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
+		Secure:   api.SecureCookie,
 	})
 
 	render.Status(r, http.StatusCreated)
