Initial code for mta-sts

Signed-off-by: Gunni <github.march@s.meh.is>

Author: Gunni

mta-sts-template/.gitignore

@@ -0,0 +1,167 @@
+# Logs
+
+logs
+_.log
+npm-debug.log_
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+
+report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
+
+# Runtime data
+
+pids
+_.pid
+_.seed
+\*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+
+lib-cov
+
+# Coverage directory used by tools like istanbul
+
+coverage
+\*.lcov
+
+# nyc test coverage
+
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+
+bower_components
+
+# node-waf configuration
+
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+
+build/Release
+
+# Dependency directories
+
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+
+web_modules/
+
+# TypeScript cache
+
+\*.tsbuildinfo
+
+# Optional npm cache directory
+
+.npm
+
+# Optional eslint cache
+
+.eslintcache
+
+# Optional stylelint cache
+
+.stylelintcache
+
+# Microbundle cache
+
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+
+.node_repl_history
+
+# Output of 'npm pack'
+
+\*.tgz
+
+# Yarn Integrity file
+
+.yarn-integrity
+
+# parcel-bundler cache (https://parceljs.org/)
+
+.cache
+.parcel-cache
+
+# Next.js build output
+
+.next
+out
+
+# Nuxt.js build / generate output
+
+.nuxt
+dist
+
+# Gatsby files
+
+.cache/
+
+# Comment in the public line in if your project uses Gatsby and not Next.js
+
+# https://nextjs.org/blog/next-9-1#public-directory-support
+
+# public
+
+# vuepress build output
+
+.vuepress/dist
+
+# vuepress v2.x temp and cache directory
+
+.temp
+.cache
+
+# Docusaurus cache and generated files
+
+.docusaurus
+
+# Serverless directories
+
+.serverless/
+
+# FuseBox cache
+
+.fusebox/
+
+# DynamoDB Local files
+
+.dynamodb/
+
+# TernJS port file
+
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+
+.vscode-test
+
+# yarn v2
+
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.\*
+
+# wrangler project
+
+.dev.vars*
+!.dev.vars.example
+.env*
+!.env.example
+.wrangler/

mta-sts-template/README.md

@@ -0,0 +1,13 @@
+# MTA-STS Cloudflare worker
+
+[![Deploy to Cloudflare](https://deploy.workers.cloudflare.com/button)](https://deploy.workers.cloudflare.com/?url=https://github.com/cloudflare/templates/tree/main/mta-sts-template)
+
+<!-- dash-content-start -->
+
+This is a [mta-sts](todo) worker, it satisfies the web part of RFC 8461, note that the DNS part is your responsibility.
+
+<!-- dash-content-end -->
+
+When deploying this worker you add it as a custom sub-domain named `mta-sts` under the domain you want to enable MTA-STS for.
+
+After ensuring it works and is publishing the correct content you need to add a TXT DNS record at `_mta-sts` with a value of this format `"v=STSv1; id=20260220T211000;"`.

mta-sts-template/package-lock.json

@@ -0,0 +1,30 @@
+{
+	"name": "mta-sts",
+	"private": true,
+	"scripts": {
+		"deploy": "wrangler deploy",
+		"dev": "wrangler dev",
+		"start": "wrangler dev"
+	},
+	"env": {
+		"MAX_AGE": 60,
+		"MODE": "testing",
+		"MX": "mx1.example.com\nmx2.example.com"
+	},
+	"devDependencies": {
+		"wrangler": "^4.37.1"
+	},
+	"cloudflare": {
+		"label": "MTA-STS",
+		"products": [
+			"Workers"
+		],
+		"categories": [
+			"static"
+		],
+		"docs_url": "https://developers.cloudflare.com/workers/",
+		"icon_urls": [],
+		"preview_image_url": "https://fast.image.delivery/nnoriwy.png",
+		"publish": true
+	}
+}

mta-sts-template/package.json

@@ -0,0 +1,92 @@
+export default {
+  async fetch(request, env, ctx) {
+    const url = new URL(request.url);
+    const policyPath = '/.well-known/mta-sts.txt';
+
+    // recommended MAX_AGEs:
+    // 1 week: 604800   (good for testing)
+    // 1 month: 2628000 (good for prod?)
+    // 1 year: 31557600 (you cannot go higher as defined in RFC 8461)
+
+    // max_age: non-negative integer, max 31,557,600 (RFC 8461 §3.2)
+    const MAX_AGE_MIN = 0;           // if MAX_AGE < MAX_AGE_MIN then we use MAX_AGE_DEFAULT
+    const MAX_AGE_DEFAULT = 60;      // only used until you set environment variable MAX_AGE
+    const MAX_AGE_MAX = 31_557_600;  // if MAX_AGE > MAX_AGE_MAX then we use MAX_AGE_MAX
+
+    const rawMaxAge = String(env.MAX_AGE ?? '').trim();
+    const parsedMaxAge = rawMaxAge === '' ? NaN : parseInt(rawMaxAge, 10);
+    const maxAge = !Number.isInteger(parsedMaxAge) || parsedMaxAge < 0
+      ? MAX_AGE_DEFAULT // RFC: Non-negative integer required
+      : parsedMaxAge < MAX_AGE_MIN
+        ? MAX_AGE_DEFAULT // Your choice: reset to default if too low
+        : parsedMaxAge > MAX_AGE_MAX
+          ? MAX_AGE_MAX // RFC: Usually 1 year (31557600)
+          : parsedMaxAge;
+
+    const defaultHeaders = {
+      'Allow': 'GET, HEAD',
+      'Content-Type': 'text/plain; charset=utf-8',
+      // Optional
+      'Strict-Transport-Security': `max-age=${maxAge}`,
+    };
+
+    // Only GET/HEAD are allowed
+    const method = request.method.toUpperCase();
+    if (method !== 'GET' && method !== 'HEAD') {
+      const h = new Headers({ ...defaultHeaders, 'Allow': 'GET, HEAD' });
+      return new Response('Method Not Allowed', { status: 405, headers: h });
+    }
+
+    // Redirect everything that's not the canonical path to the policy URL
+    // Dedicated hostname => cache redirect aggressively
+    if (url.pathname !== policyPath) {
+      const target = new URL(policyPath, url.origin).toString();
+      const redirectHeaders = new Headers({
+        ...defaultHeaders,
+        'Location': target,
+        'Cache-Control': `public, max-age=${maxAge}, immutable`,
+      });
+      return new Response(null, { status: 308, headers: redirectHeaders });
+    }
+
+    // mode: enforce | testing | none
+    const allowedModes = new Set(['enforce', 'testing', 'none']);
+    const modeRaw = (env.MODE || 'none').toLowerCase();
+    const mode = allowedModes.has(modeRaw) ? modeRaw : 'none';
+
+    // mx: only applicable for enforce/testing
+    const mxLines =
+      mode !== 'none'
+        ? String(env.MX_HOSTS || '')
+            .split(/[,\s]+/)
+            .map((s) => s.trim())
+            .filter(Boolean)
+            .map((mx) => `mx: ${mx}`)
+        : [];
+
+    // Enforce RFC rule: mx required when mode is enforce/testing
+    if ((mode === 'enforce' || mode === 'testing') && mxLines.length === 0) {
+      const h = new Headers({ ...defaultHeaders });
+      return new Response(
+        'Misconfigured Worker: MX_HOSTS required when MODE is "enforce" or "testing".',
+        { status: 500, headers: h }
+      );
+    }
+
+    // For mode "none", omit mx lines in the policy output
+    const lines = [
+      'version: STSv1',
+      `mode: ${mode}`,
+      ...mxLines,
+      `max_age: ${maxAge}`,
+    ];
+    const body = lines.join('\n') + '\n'; // add newline at end of file
+    const headers = new Headers(defaultHeaders);
+
+    if (method == 'HEAD') {
+        return new Response(null, { status: 200, headers });
+    }
+
+    return new Response(body, { status: 200, headers });
+  },
+};

mta-sts-template/src/index.js

@@ -0,0 +1,24 @@
+{
+	"compilerOptions": {
+		/* Visit https://aka.ms/tsconfig.json to read more about this file */
+
+		/* Allow JavaScript files to be a part of your program. Use the `checkJS` option to get errors from these files. */
+		"allowJs": true,
+		/* Enable error reporting in type-checked JavaScript files. */
+		"checkJs": false,
+
+		/* Disable emitting files from a compilation. */
+		"noEmit": true,
+
+		/* Ensure that each file can be safely transpiled without relying on other imports. */
+		"isolatedModules": true,
+
+		/* Ensure that casing is correct in imports. */
+		"forceConsistentCasingInFileNames": true,
+
+		/* Enable all strict type-checking options. */
+		"strict": true,
+
+        "lib": ["es2015", "dom"]
+	}
+}

mta-sts-template/tsconfig.json

@@ -0,0 +1,30 @@
+name = "mta-sts"
+main = "src/index.js"
+compatibility_date = "2026-02-21"
+
+[env.test_none.vars]
+# RFC 8461: max_age must be non-negative.
+# 60 = 1 minute (Good starting point when starting)
+MODE     = "none"
+MAX_AGE  = "60"
+
+[env.test_testing.vars]
+# RFC 8461: max_age must be non-negative.
+# 60 = 1 minute (Good starting point when starting)
+MODE     = "testing"
+MAX_AGE  = "bla"
+MX_HOSTS = "mx1.example.com mx2.example.com"
+
+[env.enforce_proton.vars]
+# RFC 8461: max_age must be non-negative.
+# 604800 = 1 week (Good starting point)
+MAX_AGE  = 60
+MODE     = "enforce"
+MX_HOSTS = "mail.protonmail.ch mailsec.protonmail.ch"
+
+[env.enforce_protonalias.vars]
+# RFC 8461: max_age must be non-negative.
+# 604800 = 1 week (Good starting point)
+MAX_AGE  = 60
+MODE     = "enforce"
+MX_HOSTS = "mx1.alias.proton.me mx2.alias.proton.me"