Implement HTTP Strict Transport Security (HSTS).

Input & OK reyk

1 files changed, 7 insertions, 2 deletions

diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h
index 2cb7934b536..1b7e528d134 100644
--- a/usr.sbin/httpd/httpd.h
+++ b/usr.sbin/httpd/httpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: httpd.h,v 1.88 2015/07/16 16:29:25 florian Exp $	*/
+/*	$OpenBSD: httpd.h,v 1.89 2015/07/18 05:41:18 florian Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -68,6 +68,7 @@
 #define SERVER_OUTOF_FD_RETRIES	5
 #define SERVER_MAX_PREFETCH	256
 #define SERVER_MIN_PREFETCHED	32
+#define SERVER_HSTS_DEFAULT_AGE	31536000
 
 #define MEDIATYPE_NAMEMAX	128	/* file name extension */
 #define MEDIATYPE_TYPEMAX	64	/* length of type/subtype */
@@ -351,13 +352,14 @@ SPLAY_HEAD(client_tree, client);
 #define SRVFLAG_NO_BLOCK	0x00080000
 #define SRVFLAG_LOCATION_MATCH	0x00100000
 #define SRVFLAG_SERVER_MATCH	0x00200000
+#define SRVFLAG_SERVER_HSTS	0x00400000
 
 #define SRVFLAG_BITS							\
 	"\10\01INDEX\02NO_INDEX\03AUTO_INDEX\04NO_AUTO_INDEX"		\
 	"\05ROOT\06LOCATION\07FCGI\10NO_FCGI\11LOG\12NO_LOG\13SOCKET"	\
 	"\14SYSLOG\15NO_SYSLOG\16TLS\17ACCESS_LOG\20ERROR_LOG"		\
 	"\21AUTH\22NO_AUTH\23BLOCK\24NO_BLOCK\25LOCATION_MATCH"		\
-	"\26SERVER_MATCH"
+	"\26SERVER_MATCH\27SERVER_HSTS"
 
 #define TCPFLAG_NODELAY		0x01
 #define TCPFLAG_NNODELAY	0x02
@@ -443,6 +445,9 @@ struct server_config {
 	char			*return_uri;
 	off_t			 return_uri_len;
 
+	int			 hsts_max_age;
+	int			 hsts_subdomains;
+
 	TAILQ_ENTRY(server_config) entry;
 };
 TAILQ_HEAD(serverhosts, server_config);