From 758e1ad05047b338765d67e4505f3ba4052c0ed2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=9A=D0=BE=D0=BD=D1=81=D1=82=D0=B0=D0=BD=D1=82=D0=B8?=
 =?UTF-8?q?=D0=BD?= <kayukin@gmail.com>
Date: Tue, 19 May 2026 14:28:05 +0200
Subject: [PATCH] Make HSTS policy configurable if https is enabled (#4462)

* Make HSTS policy configurable if https is enabled

* refactor(web): gate HSTS at call site so XUI_SKIP_HSTS doesn't drop the Secure cookie flag

isDirectHTTPSConfigured was being reused for both the HSTS middleware and
the session cookie's Secure flag (web.go:185). Embedding the env-var
check inside it meant setting XUI_SKIP_HSTS=true also stripped Secure
from session cookies on a real HTTPS server. Split the concerns: keep
isDirectHTTPSConfigured honest (cert/key only) and combine it with the
env var at the call site for the HSTS middleware only.

---------

Co-authored-by: Konstantin Kayukin <t_kkayukin@admarketplace.com>
Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>
---
 config/config.go | 5 +++++
 web/web.go       | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/config/config.go b/config/config.go
index 31c285d2..59ad671b 100644
--- a/config/config.go
+++ b/config/config.go
@@ -57,6 +57,11 @@ func IsDebug() bool {
 	return os.Getenv("XUI_DEBUG") == "true"
 }
 
+// IsSkipHSTS returns true if skipping HSTS mode is enabled via the XUI_SKIP_HSTS environment variable.
+func IsSkipHSTS() bool {
+	return os.Getenv("XUI_SKIP_HSTS") == "true"
+}
+
 // GetBinFolderPath returns the path to the binary folder, defaulting to "bin" if not set via XUI_BIN_FOLDER.
 func GetBinFolderPath() string {
 	binFolderPath := os.Getenv("XUI_BIN_FOLDER")
diff --git a/web/web.go b/web/web.go
index 35516e4d..e903a016 100644
--- a/web/web.go
+++ b/web/web.go
@@ -154,7 +154,8 @@ func (s *Server) initRouter() (*gin.Engine, error) {
 
 	engine := gin.Default()
 	directHTTPS := s.isDirectHTTPSConfigured()
-	engine.Use(middleware.SecurityHeadersMiddleware(directHTTPS))
+	sendHSTS := directHTTPS && !config.IsSkipHSTS()
+	engine.Use(middleware.SecurityHeadersMiddleware(sendHSTS))
 
 	webDomain, err := s.settingService.GetWebDomain()
 	if err != nil {