| 18 | } |
| 19 | |
| 20 | func HSTSConfigOptions(maxAge int, options []string) (HSTSConfig, error) { |
| 21 | if maxAge <= 0 { |
| 22 | // No header, so no need to build the header string. |
| 23 | return HSTSConfig{HeaderValue: ""}, nil |
| 24 | } |
| 25 | |
| 26 | // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security |
| 27 | var str strings.Builder |
| 28 | _, err := str.WriteString(fmt.Sprintf("max-age=%d", maxAge)) |
| 29 | if err != nil { |
| 30 | return HSTSConfig{}, xerrors.Errorf("hsts: write max-age: %w", err) |
| 31 | } |
| 32 | |
| 33 | for _, option := range options { |
| 34 | switch { |
| 35 | // Only allow valid options and fix any casing mistakes |
| 36 | case strings.EqualFold(option, "includeSubDomains"): |
| 37 | option = "includeSubDomains" |
| 38 | case strings.EqualFold(option, "preload"): |
| 39 | option = "preload" |
| 40 | default: |
| 41 | return HSTSConfig{}, xerrors.Errorf("hsts: invalid option: %q. Must be 'preload' and/or 'includeSubDomains'", option) |
| 42 | } |
| 43 | _, err = str.WriteString("; " + option) |
| 44 | if err != nil { |
| 45 | return HSTSConfig{}, xerrors.Errorf("hsts: write option: %w", err) |
| 46 | } |
| 47 | } |
| 48 | return HSTSConfig{ |
| 49 | HeaderValue: str.String(), |
| 50 | }, nil |
| 51 | } |
| 52 | |
| 53 | // HSTS will add the strict-transport-security header if enabled. This header |
| 54 | // forces a browser to always use https for the domain after it loads https once. |