From f0b7663d31a3bf3f5c4f5cd698188e463d54486a Mon Sep 17 00:00:00 2001
From: Mark Murnane <mark@hackafe.net>
Date: Wed, 29 Nov 2023 12:01:11 -0600
Subject: [PATCH] Adding all HSTS options

---
 uber/configspec.ini |  2 ++
 uber/server.py      | 12 +++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/uber/configspec.ini b/uber/configspec.ini
index d88929888..605a2fd16 100644
--- a/uber/configspec.ini
+++ b/uber/configspec.ini
@@ -1883,6 +1883,8 @@ prefix = string(default="")
 
 [hsts]
 max_age = integer(default=31536000)
+preload = boolean(default=False)
+include_subdomains = boolean(default=False)
 
 [appconf]
 # This is all CherryPy configuration.
diff --git a/uber/server.py b/uber/server.py
index c468990b8..86ace23b9 100644
--- a/uber/server.py
+++ b/uber/server.py
@@ -49,7 +49,17 @@ def sentry_end_transaction():
 @cherrypy.tools.register('before_finalize', priority=60)
 def secureheaders():
     headers = cherrypy.response.headers
-    headers['Strict-Transport-Security'] = 'max-age=' + str(c.HSTS['max_age'])
+    hsts_header = 'max-age=' + str(c.HSTS['max_age'])
+    if c.HSTS['include_subdomains']:
+        hsts_header += '; includeSubDomains'
+    if c.HSTS['preload']:
+        if c.HSTS['max_age'] < 31536000:
+            log.error('HSTS only supports preloading if max-age > 31536000')
+        elif not c.HSTS['include_subdomains']:
+            log.error('HSTS only supports preloading if subdomains are included')
+        else:
+            hsts_header += '; preload'
+    headers['Strict-Transport-Security'] = hsts_header
 
 def _add_email():
     [body] = cherrypy.response.body