From 0238d429c7ad51c9cb95c32f10c7d92964792dc8 Mon Sep 17 00:00:00 2001
From: Andrew Gerrand <adg@golang.org>
Date: Sun, 1 May 2016 16:00:33 +1000
Subject: [PATCH] cmd/tip: set Strict-Transport-Security header in production

Change-Id: I33db74025785c802a634f324ad110a4ec5381c1f
Reviewed-on: https://go-review.googlesource.com/22674
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
---
 cmd/tip/tip.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cmd/tip/tip.go b/cmd/tip/tip.go
index e521024f..c3de65cc 100644
--- a/cmd/tip/tip.go
+++ b/cmd/tip/tip.go
@@ -337,5 +337,9 @@ func (h httpsOnlyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, r.URL.String(), http.StatusFound)
 		return
 	}
+	if r.Header.Get("X-Appengine-Https") == "on" {
+		// Only set this header when we're actually in production.
+		w.Header().Set("Strict-Transport-Security", "max-age=31536000; preload")
+	}
 	h.h.ServeHTTP(w, r)
 }