add hsts_max_age config option

web/internal/api/middleware.go

@@ -4,17 +4,19 @@ import (
 	"errors"
 	"net/http"
 	"net/http/fcgi"
+	"strconv"
 	"strings"
 
 	"github.com/labstack/echo/v4"
 
 	"git.csclub.uwaterloo.ca/public/pyceo/web/internal/app"
+	"git.csclub.uwaterloo.ca/public/pyceo/web/internal/config"
 	"git.csclub.uwaterloo.ca/public/pyceo/web/pkg/logging"
 )
 
-func helmet(isDev bool) echo.MiddlewareFunc {
+func helmet(cfg *config.Config) echo.MiddlewareFunc {
 	cspSchemes := "https:"
-	if isDev {
+	if cfg.IsDev {
 		cspSchemes = "http: https:"
 	}
 	cspDirectives := []string{
@@ -29,7 +31,7 @@ func helmet(isDev bool) echo.MiddlewareFunc {
 		"script-src-attr 'none'",
 		"style-src 'self' " + cspSchemes + " 'unsafe-inline'",
 	}
-	if !isDev {
+	if !cfg.IsDev {
 		cspDirectives = append(cspDirectives, "upgrade-insecure-requests")
 	}
 	csp := strings.Join(cspDirectives, ";")
@@ -40,8 +42,11 @@ func helmet(isDev bool) echo.MiddlewareFunc {
 			h.Set("Cross-Origin-Opener-Policy", "same-origin")
 			h.Set("Cross-Origin-Resource-Policy", "same-origin")
 			h.Set(echo.HeaderReferrerPolicy, "no-referrer")
-			if !isDev {
-				h.Set(echo.HeaderStrictTransportSecurity, "max-age=15552000")
+			if cfg.HstsMaxAge != 0 {
+				h.Set(
+					echo.HeaderStrictTransportSecurity,
+					"max-age="+strconv.FormatInt(int64(cfg.HstsMaxAge), 10),
+				)
 			}
 			return next(c)
 		}

web/internal/config/config.go

@@ -27,6 +27,7 @@ type Config struct {
 	UWDomain             string `json:"uw_domain"`
 	MTA                  string `json:"mta"`
 	CookieName           string `json:"cookie_name"`
+	HstsMaxAge           int    `json:"hsts_max_age"`
 	IsDev                bool   `json:"dev"`
 	ForcedEmailRecipient string `json:"forced_email_recipient"`