From c9a2436076ccd8b926215df8bce88b07ebdbccc8 Mon Sep 17 00:00:00 2001
From: Andrew Gerrand <adg@golang.org>
Date: Sun, 1 May 2016 15:56:16 +1000
Subject: [PATCH] cmd/godoc: set Strict-Transport-Security header in production

This coerces browsers into enforcing HTTPS-only for golang.org.

Change-Id: I91a4cc64b10b9836ef5623314a3cf22a54033dc2
Reviewed-on: https://go-review.googlesource.com/22673
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
---
 cmd/godoc/handlers.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cmd/godoc/handlers.go b/cmd/godoc/handlers.go
index dda1bb87..600be685 100644
--- a/cmd/godoc/handlers.go
+++ b/cmd/godoc/handlers.go
@@ -54,6 +54,7 @@ func (h hostEnforcerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, r.URL.String(), http.StatusFound)
 		return
 	}
+	w.Header().Set("Strict-Transport-Security", "max-age=31536000; preload")
 	h.h.ServeHTTP(w, r)
 }