# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1353693850 -3600
# Node ID 1b34c8e46ffb49729ce060f777abe58e16a233ca
# Parent  1c886affb375be4c7941a34b5a02c3915d556fe7
mod_strict_https: New module implementing HTTP Strict Transport Security

diff -r 1c886affb375 -r 1b34c8e46ffb mod_strict_https/mod_strict_https.lua
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_strict_https/mod_strict_https.lua	Fri Nov 23 19:04:10 2012 +0100
@@ -0,0 +1,44 @@
+-- HTTP Strict Transport Security
+-- https://tools.ietf.org/html/rfc6797
+
+module:set_global();
+
+local http_server = require "net.http.server";
+
+local hsts_header = module:get_option_string("hsts_header", "max_age=31556952"); -- This means "Don't even try to access without HTTPS for a year"
+
+local _old_send_response;
+local _old_fire_event;
+
+local modules = {};
+
+function module.load()
+	_old_send_response = http_server.send_response;
+	function http_server.send_response(response, body)
+		response.headers.strict_transport_security = hsts_header;
+		return _old_send_response(response, body);
+	end
+
+	_old_fire_event = http_server._events.fire_event;
+	function http_server._events.fire_event(event, payload)
+		local request = payload.request;
+		local host = event:match("^[A-Z]+ ([^/]+)");
+		local module = modules[host];
+		if module and not request.secure then
+			payload.response.headers.location = module:http_url(request.path);
+			return 301;
+		end
+		return _old_fire_event(event, payload);
+	end
+end
+function module.unload()
+	http_server.send_response = _old_send_response;
+	http_server._events.fire_event = _old_fire_event;
+end
+function module.add_host(module)
+	local http_host = module:get_option_string("http_host", module.host);
+	modules[http_host] = module;
+	function module.unload()
+		modules[http_host] = nil;
+	end
+end