From db3ade87ccf94068cdce20392fbb21639e35de6e Mon Sep 17 00:00:00 2001 From: iliajie Date: Tue, 13 Sep 2022 00:05:50 +0300 Subject: [PATCH] Always unset HSTS when sending headers in non SSL mode (most probably useless) --- web-lib-funcs.pl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl index 315e4af58..9444e49ab 100755 --- a/web-lib-funcs.pl +++ b/web-lib-funcs.pl @@ -972,6 +972,9 @@ $mt ||= "text/html"; if (!$gconfig{'no_strict_transport_security'} && uc($ENV{'HTTPS'}) eq "ON") { print "Strict-Transport-Security: max-age=31536000;\n"; } +elsif (uc($ENV{'HTTPS'}) ne "ON") { + print "Strict-Transport-Security: max-age=0;\n"; + } if ($pragma_no_cache || $gconfig{'pragma_no_cache'}) { print "pragma: no-cache\n"; print "Expires: Thu, 1 Jan 1970 00:00:00 GMT\n";