new file mode 100644
@@ -0,0 +1,55 @@
+--- a/main.c
++++ b/main.c
+@@ -135,6 +135,7 @@ static int usage(const char *name)
+ " -C file ASN.1 server certificate file\n"
+ " -K file ASN.1 server private key file\n"
+ " -q Redirect all HTTP requests to HTTPS\n"
++ " -P seconds Set Strict-Transport-Security header max-age\n"
+ #endif
+ " -h directory Specify the document root, default is '.'\n"
+ " -E string Use given virtual URL as 404 error handler\n"
+@@ -232,7 +233,7 @@ int main(int argc, char **argv)
+ init_defaults_pre();
+ signal(SIGPIPE, SIG_IGN);
+
+- while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
++ while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
+ switch(ch) {
+ #ifdef HAVE_TLS
+ case 'C':
+@@ -247,6 +248,10 @@ int main(int argc, char **argv)
+ conf.tls_redirect = 1;
+ break;
+
++ case 'P':
++ conf.hsts = atoi(optarg);
++ break;
++
+ case 's':
+ n_tls++;
+ /* fall through */
+--- a/uhttpd.h
++++ b/uhttpd.h
+@@ -64,6 +64,7 @@ struct config {
+ const char *lua_prefix;
+ const char *ubus_prefix;
+ const char *ubus_socket;
++ int hsts;
+ int no_symlinks;
+ int no_dirlists;
+ int network_timeout;
+--- a/client.c
++++ b/client.c
+@@ -64,6 +64,12 @@ void uh_http_header(struct client *cl, i
+ http_versions[cl->request.version],
+ code, summary, conn, enc);
+
++ if (( cl->tls ) && ( conf.hsts > 0 )) {
++ ustream_printf(cl->us,
++ "Strict-Transport-Security: max-age=%d\r\n",
++ conf.hsts);
++ }
++
+ if (!r->connection_close)
+ ustream_printf(cl->us, "Keep-Alive: timeout=%d\r\n", conf.http_keepalive);
+
This is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. HSTS is an IETF standards track protocol and is specified in RFC 6797. This patch will add the possibility to specify a max-age with the option -P on uhttp start. If the option is set and https is enabled then force the client with the Strict-Transport-Securtiy header for the specified time only communicate over https for this content. This is a follow up request from: https://github.com/openwrt/luci/pull/1555 Signed-off-by: Florian Eckert <fe@dev.tdt.de> --- ...-Strict-Transport-Security-header-max-age.patch | 55 ++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch