Add HTTP to HTTPS redirect and HSTS headers#255
Merged
Conversation
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens transport security by adding HTTP→HTTPS redirects and HSTS headers in both the Go API server (Gin middleware) and the .NET MCP server (ASP.NET Core pipeline).
Changes:
- Added
SecurityHeadersGin middleware to redirect HTTP requests to HTTPS and inject an HSTS header. - Registered the new middleware in the API server startup pipeline.
- Added unit tests for redirect/HSTS behavior; enabled
UseHsts()andUseHttpsRedirection()in the MCP server.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
mcpserver/Program.cs |
Enables ASP.NET Core HSTS + HTTPS redirection middleware. |
apiserver/main.go |
Registers the new SecurityHeaders middleware in Gin startup. |
apiserver/internal/utils/middleware/middleware.go |
Implements SecurityHeaders middleware (redirect + HSTS). |
apiserver/internal/utils/middleware/middleware_test.go |
Adds unit tests for HSTS injection and redirect behavior. |
Comments suppressed due to low confidence (1)
apiserver/internal/utils/middleware/middleware.go:59
- The redirect URL is built from
cfg.Server.HostNameandcfg.Server.Port, butcfg.Server.Portis also used as the server listen port (http.Server.Addrinmain.go). In common reverse-proxy/container setups the internal listen port differs from the externally visible HTTPS port, which would cause redirects to an unreachable port. Prefer deriving host/port from forwarded headers (X-Forwarded-Host/X-Forwarded-Port) orc.Request.Host, and only fall back to config when explicitly set (also handle emptyHostName).
func SecurityHeaders(cfg *config.Config) gin.HandlerFunc {
hostName := cfg.Server.HostName
port := cfg.Server.Port
return func(c *gin.Context) {
proto := c.GetHeader("X-Forwarded-Proto")
if proto == "http" {
target := fmt.Sprintf("https://%s", hostName)
if port != 443 {
target = fmt.Sprintf("%s:%d", target, port)
}
target = fmt.Sprintf("%s%s", target, c.Request.URL.RequestURI())
c.Redirect(http.StatusMovedPermanently, target)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add security hardening by redirecting HTTP requests to HTTPS and setting HSTS (Strict-Transport-Security) headers.
Changes
API Server
SecurityHeadersmiddleware that:X-Forwarded-ProtoheaderStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadheader on HTTPS responsesMCP Server
UseHsts()andUseHttpsRedirection()in the ASP.NET Core pipeline