Make HSTS policy configurable if https is enabled (#4462)

* Make HSTS policy configurable if https is enabled * refactor(web): gate HSTS at call site so XUI_SKIP_HSTS doesn't drop the Secure cookie flag isDirectHTTPSConfigured was being reused for both the HSTS middleware and the session cookie's Secure flag (web.go:185). Embedding the env-var check inside it meant setting XUI_SKIP_HSTS=true also stripped Secure from session cookies on a real HTTPS server. Split the concerns: keep isDirectHTTPSConfigured honest (cert/key only) and combine it with the env var at the call site for the HSTS middleware only. --------- Co-authored-by: Konstantin Kayukin <t_kkayukin@admarketplace.com> Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>
2026-05-26 07:08:01 +00:00 · 2026-05-19 14:28:05 +02:00
parent 121b6e0bd0
commit 758e1ad050
2 changed files with 7 additions and 1 deletions
--- a/web/web.go
+++ b/web/web.go
@@ -154,7 +154,8 @@ func (s *Server) initRouter() (*gin.Engine, error) {

 	engine := gin.Default()
 	directHTTPS := s.isDirectHTTPSConfigured()
-	engine.Use(middleware.SecurityHeadersMiddleware(directHTTPS))
+	sendHSTS := directHTTPS && !config.IsSkipHSTS()
+	engine.Use(middleware.SecurityHeadersMiddleware(sendHSTS))

 	webDomain, err := s.settingService.GetWebDomain()
 	if err != nil {