Make HSTS policy configurable if https is enabled (#4462)

* Make HSTS policy configurable if https is enabled * refactor(web): gate HSTS at call site so XUI_SKIP_HSTS doesn't drop the Secure cookie flag isDirectHTTPSConfigured was being reused for both the HSTS middleware and the session cookie's Secure flag (web.go:185). Embedding the env-var check inside it meant setting XUI_SKIP_HSTS=true also stripped Secure from session cookies on a real HTTPS server. Split the concerns: keep isDirectHTTPSConfigured honest (cert/key only) and combine it with the env var at the call site for the HSTS middleware only. --------- Co-authored-by: Konstantin Kayukin <t_kkayukin@admarketplace.com> Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>
2026-05-26 07:08:01 +00:00 · 2026-05-19 14:28:05 +02:00
parent 121b6e0bd0
commit 758e1ad050
2 changed files with 7 additions and 1 deletions
--- a/config/config.go
+++ b/config/config.go
@@ -57,6 +57,11 @@ func IsDebug() bool {
 	return os.Getenv("XUI_DEBUG") == "true"
 }

+// IsSkipHSTS returns true if skipping HSTS mode is enabled via the XUI_SKIP_HSTS environment variable.
+func IsSkipHSTS() bool {
+	return os.Getenv("XUI_SKIP_HSTS") == "true"
+}
+
 // GetBinFolderPath returns the path to the binary folder, defaulting to "bin" if not set via XUI_BIN_FOLDER.
 func GetBinFolderPath() string {
 	binFolderPath := os.Getenv("XUI_BIN_FOLDER")
--- a/web/web.go
+++ b/web/web.go
@@ -154,7 +154,8 @@ func (s *Server) initRouter() (*gin.Engine, error) {

 	engine := gin.Default()
 	directHTTPS := s.isDirectHTTPSConfigured()
-	engine.Use(middleware.SecurityHeadersMiddleware(directHTTPS))
+	sendHSTS := directHTTPS && !config.IsSkipHSTS()
+	engine.Use(middleware.SecurityHeadersMiddleware(sendHSTS))

 	webDomain, err := s.settingService.GetWebDomain()
 	if err != nil {