From 937e96f43d669bac5ae57d1e83fe242803e69f0a Mon Sep 17 00:00:00 2001
From: David Anderson <danderson@tailscale.com>
Date: Mon, 22 Nov 2021 09:35:17 -0800
Subject: [PATCH] cmd/derper: enable HSTS when serving over HTTPS.

Starting with a short lifetime, to verify nothing breaks.

Updates #3373

Signed-off-by: David Anderson <danderson@tailscale.com>
---
 cmd/derper/derper.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cmd/derper/derper.go b/cmd/derper/derper.go
index e044421a9..74ee0c102 100644
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -235,6 +235,14 @@ func main() {
 			cert.Certificate = append(cert.Certificate, s.MetaCert())
 			return cert, nil
 		}
+		httpsrv.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Security scanners get cranky when HTTPS sites don't set
+			// HSTS. Set it even though derper doesn't really serve
+			// anything of interest to browsers (and API clients like
+			// tailscale don't obey HSTS).
+			w.Header().Set("Strict-Transport-Security", "max-age=600; includeSubDomains")
+			mux.ServeHTTP(w, r)
+		})
 		go func() {
 			port80srv := &http.Server{
 				Addr:        net.JoinHostPort(listenHost, "80"),