From 75b0a6f7bb6e564ec487380bd20541ce2fbc9fb1 Mon Sep 17 00:00:00 2001 From: Ilia Ross Date: Mon, 30 Jun 2025 13:43:46 +0300 Subject: [PATCH] Fix sending HSTS over plain HTTP does nothing * Note: per the spec (RFC 6797), HSTS only takes effect when delivered on an HTTPS response https://datatracker.ietf.org/doc/html/rfc6797#section-7.2 --- web-lib-funcs.pl | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl index 458e41d33..c7ae956b5 100755 --- a/web-lib-funcs.pl +++ b/web-lib-funcs.pl @@ -1077,11 +1077,13 @@ sub PrintHeader { my ($cs, $mt, $headers) = @_; $mt ||= "text/html"; -if ($ENV{'SSL_HSTS'} == 1 && uc($ENV{'HTTPS'}) eq "ON") { - print "Strict-Transport-Security: max-age=31536000;\n"; - } -elsif (uc($ENV{'HTTPS'}) ne "ON") { - print "Strict-Transport-Security: max-age=0;\n"; +if (uc($ENV{'HTTPS'}) eq "ON") { + if ($ENV{'SSL_HSTS'}) { + print "Strict-Transport-Security: max-age=31536000;\n"; + } + else { + print "Strict-Transport-Security: max-age=0;\n"; + } } if ($pragma_no_cache || $gconfig{'pragma_no_cache'}) { print "pragma: no-cache\n";