• Home
• io.vertx
• vertx-web
• 4.5.8
• source code
• HSTSHandler.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

io.vertx.ext.web.handler.HSTSHandler Maven / Gradle / Ivy

/*
 * Copyright 2014 Red Hat, Inc.
 *
 *  All rights reserved. This program and the accompanying materials
 *  are made available under the terms of the Eclipse Public License v1.0
 *  and Apache License v2.0 which accompanies this distribution.
 *
 *  The Eclipse Public License is available at
 *  http://www.eclipse.org/legal/epl-v10.html
 *
 *  The Apache License v2.0 is available at
 *  http://www.opensource.org/licenses/apache2.0.php
 *
 *  You may elect to redistribute this code under either of these licenses.
 */
package io.vertx.ext.web.handler;

import io.vertx.codegen.annotations.VertxGen;
import io.vertx.core.http.HttpServerRequest;

/**
 * HTTP Strict Transport Security (HSTS) RFC6797.
 *
 * This handler adds the strict transport security headers, for this domain or subdomains.
 *
 * @author Paulo Lopes
 */
@VertxGen
public interface HSTSHandler extends SecurityPolicyHandler {

  // 6 months
  long DEFAULT_MAX_AGE = 15768000;

  /**
   * Creates a new instance that shall consider the configuration for sub domains.
   * @param maxAge max age to attribute to the header
   * @param includeSubDomains consider sub domains when adding the header
   * @return an instance.
   */
  static HSTSHandler create(long maxAge, boolean includeSubDomains) {
    final String header;

    if (includeSubDomains) {
      header = "max-age=" + maxAge + "; includeSubdomains";
    } else {
      header = "max-age=" + maxAge;
    }

    return ctx -> {
      final HttpServerRequest request = ctx.request();

      boolean isSecure = (request.isSSL())
        // Non-standard header field used by Microsoft applications and load-balancers
        || ("on".equalsIgnoreCase(request.getHeader("Front-End-Https")));

      if (isSecure) {
        request.response().putHeader("Strict-Transport-Security", header);
      }

      ctx.next();
    };
  }

  /**
   * Creates a new instance that shall consider the configuration for sub domains.
   * @param includeSubDomains consider sub domains when adding the header
   * @return an instance.
   */
  static HSTSHandler create(boolean includeSubDomains) {
    return create(DEFAULT_MAX_AGE, includeSubDomains);
  }

  /**
   * Creates a new instance that does not consider the configuration for sub domains.
   * Using the default max age.
   * @return an instance.
   */
  static HSTSHandler create() {
    return create(false);
  }
}