gotour: set Strict-Transport-Security header on App Engine Change-Id: Ib2395b68dd3bba96e2f1b61c4ce1b9e05cc0ca82 Reviewed-on: https://go-review.googlesource.com/22676 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

commit: 98461c881e052af131a8d0d63e1ab0b388ca7de0 [log] [tgz]
author: Andrew Gerrand <adg@golang.org> Sun May 01 16:11:01 2016 +1000
committer: Andrew Gerrand <adg@golang.org> Mon May 02 16:32:48 2016 +0000
tree: ed71a145b1a0820fa6d903f90a9fdb06fffc0dc7
parent: ad2a543973228410057dd779f91448286751d862 [diff]
diff --git a/gotour/appengine.go b/gotour/appengine.go
index 45a8394..0cf8a5b 100644
--- a/gotour/appengine.go
+++ b/gotour/appengine.go

@@ -21,8 +21,8 @@
 const runUrl = "http://golang.org/compile"
 
 func init() {
-	http.HandleFunc("/lesson/", lessonHandler)
-	http.HandleFunc("/", rootHandler)
+	http.Handle("/lesson/", hstsHandler(lessonHandler))
+	http.Handle("/", hstsHandler(rootHandler))
 
 	if err := initTour(".", "HTTPTransport"); err != nil {
 		panic(err)
@@ -87,3 +87,11 @@
 // socketAddr returns the WebSocket handler address.
 // The App Engine version does not provide a WebSocket handler.
 func socketAddr() string { return "" }
+
+// hstsHandler wraps an http.HandlerFunc such that it sets the HSTS header.
+func hstsHandler(fn http.HandlerFunc) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Strict-Transport-Security", "max-age=31536000; preload")
+		fn(w, r)
+	})
+}
commit	98461c881e052af131a8d0d63e1ab0b388ca7de0	[log] [tgz]
author	Andrew Gerrand <adg@golang.org>	Sun May 01 16:11:01 2016 +1000
committer	Andrew Gerrand <adg@golang.org>	Mon May 02 16:32:48 2016 +0000
tree	ed71a145b1a0820fa6d903f90a9fdb06fffc0dc7
parent	ad2a543973228410057dd779f91448286751d862 [diff]