gotour: set Strict-Transport-Security header on App Engine

Change-Id: Ib2395b68dd3bba96e2f1b61c4ce1b9e05cc0ca82 Reviewed-on: https://go-review.googlesource.com/22676 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
author: Andrew Gerrand <adg@golang.org> 2016-05-01 16:11:01 +1000
committer: Andrew Gerrand <adg@golang.org> 2016-05-02 16:32:48 +0000
commit: 98461c881e052af131a8d0d63e1ab0b388ca7de0 (patch)
tree: ed71a145b1a0820fa6d903f90a9fdb06fffc0dc7
parent: ad2a543973228410057dd779f91448286751d862 (diff)
download: golang-id-tour-98461c881e052af131a8d0d63e1ab0b388ca7de0.tar.xz
1 files changed, 10 insertions, 2 deletions
diff --git a/gotour/appengine.go b/gotour/appengine.go
index 45a8394..0cf8a5b 100644
--- a/gotour/appengine.go
+++ b/gotour/appengine.go
@@ -21,8 +21,8 @@ import (
 const runUrl = "http://golang.org/compile"
 
 func init() {
-	http.HandleFunc("/lesson/", lessonHandler)
-	http.HandleFunc("/", rootHandler)
+	http.Handle("/lesson/", hstsHandler(lessonHandler))
+	http.Handle("/", hstsHandler(rootHandler))
 
 	if err := initTour(".", "HTTPTransport"); err != nil {
 		panic(err)
@@ -87,3 +87,11 @@ func prepContent(in io.Reader) io.Reader {
 // socketAddr returns the WebSocket handler address.
 // The App Engine version does not provide a WebSocket handler.
 func socketAddr() string { return "" }
+
+// hstsHandler wraps an http.HandlerFunc such that it sets the HSTS header.
+func hstsHandler(fn http.HandlerFunc) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Strict-Transport-Security", "max-age=31536000; preload")
+		fn(w, r)
+	})
+}
author	Andrew Gerrand <adg@golang.org>	2016-05-01 16:11:01 +1000
committer	Andrew Gerrand <adg@golang.org>	2016-05-02 16:32:48 +0000
commit	98461c881e052af131a8d0d63e1ab0b388ca7de0 (patch)
tree	ed71a145b1a0820fa6d903f90a9fdb06fffc0dc7
parent	ad2a543973228410057dd779f91448286751d862 (diff)
download	golang-id-tour-98461c881e052af131a8d0d63e1ab0b388ca7de0.tar.xz