enable hsts on rubykaigi.org

sorah · sorah · commit b317caeec291 · 2025-11-12T03:41:32.000+09:00
mixed content issues have been resolved at: - ruby-no-kai/rubykaigi-static#66 - ruby-no-kai/rubykaigi-static#67
diff --git a/config/nginx.conf.erb b/config/nginx.conf.erb
@@ -220,6 +220,7 @@ http {
     add_header X-Content-Type-Options "nosniff";
     add_header Content-Security-Policy "$csp_policy";
     add_header Content-Security-Policy-Report-Only "$csp_policy_report";
+
     location ~ ^/oedo02(.*) {
       return 301 https://magazine.rubyist.net/articles/0039/0039-MetPragdaveAtAsakusarb.html;
     }
@@ -506,6 +507,7 @@ http {
       set $csp_policy_report "default-src https:; report-uri https://<%= primary_host %>/_csp";
     }
     add_header X-Content-Type-Options "nosniff";
+    add_header Strict-Transport-Security "max-age=31536000";
     add_header Content-Security-Policy "$csp_policy";
     add_header Content-Security-Policy-Report-Only "$csp_policy_report";
 
@@ -515,7 +517,7 @@ http {
         proxy_hide_header Cache-Control;
         proxy_hide_header Expires;
         # 2015 sites and prior had mixed content issues
-        set $csp_policy "upgrade-insecure-requests; default-src https:";
+        set $csp_policy "upgrade-insecure-requests; frame-ancestors 'none'; default-src https:";
         add_header Cache-Control "public, max-age=604800, s-maxage=31536000";
         proxy_pass https://2009-2011.rubykaigi.org;
     }
diff --git a/spec/regional_rubykaigi_org_spec.rb b/spec/regional_rubykaigi_org_spec.rb
@@ -72,13 +72,21 @@
 
         describe "/#{subdir}/" do
           let(:res) { http_get("https://regional.rubykaigi.org/#{subdir}/") }
+
           it "returns ok" do
             #pending 'kanrk05.herokuapp.com is down' if path == '/kansai05/'
             #pending 'http://rubykaigi-hamamatsu.s3-website-ap-northeast-1.amazonaws.com/hamamatsu01/ returns C-T:application/javascript' if path == '/hamamatsu01/'
             #pending 'asakusa.github.io returns 301 (#110)' if path == '/oedo10/'
             expect(res.code).to eq("200")
             expect(res["content-type"]).to include("text/html")
           end
+
+          it "has minimum security headers, but no hsts" do
+            expect(res["content-security-policy"]).to include("default-src https:")
+            expect(res["content-security-policy"]).to include("upgrade-insecure-requests")
+            expect(res["x-content-type-options"]).to eq("nosniff")
+            expect(res["strict-transport-security"]).to be_nil
+          end
         end
       end
     end
diff --git a/spec/rubykaigi_org_spec.rb b/spec/rubykaigi_org_spec.rb
@@ -185,21 +185,25 @@
     end
   end
 
-  describe "csp" do
+  describe "security headers" do
     HOSTED_YEARS.each do |year|
       describe "/#{year}/" do
         let(:res) { http_get("https://rubykaigi.org/#{year}/") }
-        it "returns minimum csp header" do
-          expect(res["content-security-policy-report-only"]).to include("default-src https:;")
+        it "returns security header" do
+          expect(res["content-security-policy-report-only"]).to include("default-src https:")
+          expect(res["content-security-policy"]).to include("frame-ancestors 'none'")
+          expect(res["x-content-type-options"]).to eq("nosniff")
+          expect(res["strict-transport-security"]).to include("max-age=")
         end
       end
     end
 
     (2006..2015).each do |year|
       describe "/#{year}/" do
         let(:res) { http_get("https://rubykaigi.org/#{year}/") }
-        it "returns minimum csp header" do
-          expect(res["content-security-policy"]).to include("upgrade-insecure-requests;")
+        it "returns security header" do
+          expect(res["content-security-policy"]).to include("default-src https:")
+          expect(res["content-security-policy"]).to include("upgrade-insecure-requests")
         end
       end
     end
