mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-05-26 15:13:29 +00:00
758e1ad050
* Make HSTS policy configurable if https is enabled * refactor(web): gate HSTS at call site so XUI_SKIP_HSTS doesn't drop the Secure cookie flag isDirectHTTPSConfigured was being reused for both the HSTS middleware and the session cookie's Secure flag (web.go:185). Embedding the env-var check inside it meant setting XUI_SKIP_HSTS=true also stripped Secure from session cookies on a real HTTPS server. Split the concerns: keep isDirectHTTPSConfigured honest (cert/key only) and combine it with the env var at the call site for the HSTS middleware only. --------- Co-authored-by: Konstantin Kayukin <t_kkayukin@admarketplace.com> Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>