From 46fa185849d13488d2045291b72b49a2f4ad3328 Mon Sep 17 00:00:00 2001
From: root <Adrian Richter adrian@intevation.de>
Date: Tue, 26 Mar 2024 18:57:43 +0100
Subject: [PATCH] Add a handler to every route adding response header

... if $HSTS is set at startup
---
 README.md       | 9 +++++++++
 caddy_base.json | 2 +-
 entrypoint      | 6 ++++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6ffb57d..a3b8aae 100644
--- a/README.md
+++ b/README.md
@@ -25,3 +25,12 @@ and providing cert and key files at the specified location. This is mostly for
 dev and testing setups and is not useful for a public domain as the cert is not
 issued by a trusted CA and therefore not trusted by browsers. If set, this
 overrules `ENABLE_AUTO_HTTPS`.
+
+## HSTS (HTTP Strict-Transport-Security)
+
+Set `HSTS=<header_value>` in order to add the HTTP header
+
+    Strict-Transport-Security: <header_value>
+
+to every response. See [mozilla's documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)
+for more details.
diff --git a/caddy_base.json b/caddy_base.json
index 9c2c18c..6197756 100644
--- a/caddy_base.json
+++ b/caddy_base.json
@@ -189,9 +189,9 @@
             {
               "handle": [
                 {
+                  "handler": "static_response",
                   "body": "Misdirected Request",
                   "close": true,
-                  "handler": "static_response",
                   "status_code": 421
                 }
               ],
diff --git a/entrypoint b/entrypoint
index 32d9b25..b8285e1 100755
--- a/entrypoint
+++ b/entrypoint
@@ -64,4 +64,10 @@ else
   jq_write "del(.apps.http.servers.srv0.routes[-2])"
 fi
 
+### Strict-Transport-Security ###
+if [ -n "$HSTS" ]; then
+  handler="{ \"handler\": \"headers\", \"response\": { \"add\": { \"Strict-Transport-Security\": [ \"${HSTS}\" ] } } }"
+  jq_write ".apps.http.servers.srv0.routes[].handle |= [ ${handler} ] + ."
+fi
+
 exec "$@"