check that hosts provide an HSTS header

2022-12-16 15:52:30 +05:30 · 2022-12-16 15:52:30 +05:30 · 505b42f740
parent 75de90c8b5
commit 505b42f740
1 changed files with 37 additions and 0 deletions
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@ -893,6 +893,19 @@ define([
    });
 */

+    var parseResponseHeaders = xhr => {
+        var H = {};
+        xhr.getAllResponseHeaders()
+            .split(/\r|\n/)
+            .filter(Boolean)
+            .forEach(line => {
+                line.replace(/([^:]+):(.*)/, (all, key, value) => {
+                    H[key] = value;
+                });
+            });
+        return H;
+    };
+
    var CSP_DESCRIPTIONS = {
        'default-src': '',
        'style-src': '',
@ -1552,6 +1565,30 @@ define([
        });
    });

+    assert(function (cb, msg) {
+        // provide an exception for development instances
+        if (isLocalhost(trimmedUnsafe) && isLocalhost(window.location.href)) {
+            return void cb(true);
+        }
+
+        msg.appendChild(h('span', [
+            'This instance is not configured to require HTTP Strict Transport Security (HSTS) - which instructs clients to only interact with it over a secure connection.',
+        ]));
+        Tools.common_xhr('/', function (xhr) {
+            var H = parseResponseHeaders(xhr);
+            var HSTS = H['strict-transport-security'];
+
+            // check for a numerical value of max-age
+            // and the use of includeSubDomains
+            if (/max\-age=\d+/.test(HSTS) && /includeSubdomains/.test(HSTS)) {
+                return void cb(true);
+            }
+
+            // else call back with the value
+            cb(HSTS);
+        });
+    });
+
    var row = function (cells) {
        return h('tr', cells.map(function (cell) {
            return h('td', cell);