Add upgrade-insecure-requests to CSP when HTTPS is enabled

This option automatically upgrades all http connections to https. It ensures http urls cannot be accessed when in https mode, and is intended as a security measure.
2025-01-11 15:27:54 +00:00 · 2018-05-31 00:44:48 -04:00 · 2018-05-31 00:44:48 -04:00 · 8f98f87d12
commit 8f98f87d12
parent 6e96bbb2e9
2 changed files with 5 additions and 0 deletions
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@ -431,6 +431,7 @@ void WebApplication::configure()

    m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
    m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
+    m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
 }

 void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@ -538,6 +539,9 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
        header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
        csp += QLatin1String(" frame-ancestors 'self';");
    }
+    if (m_isHttpsEnabled) {
+        csp += QLatin1String(" upgrade-insecure-requests;");
+    }

    header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);

--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@ -146,4 +146,5 @@ private:
    // security related
    bool m_isClickjackingProtectionEnabled;
    bool m_isCSRFProtectionEnabled;
+    bool m_isHttpsEnabled;
 };