Fix sending HSTS over plain HTTP does nothing

* Note: per the spec (RFC 6797), HSTS only takes effect when delivered on an HTTPS response

https://datatracker.ietf.org/doc/html/rfc6797#section-7.2
This commit is contained in:
Ilia Ross
2025-06-30 13:43:46 +03:00
parent 40707d8602
commit 75b0a6f7bb

View File

@ -1077,11 +1077,13 @@ sub PrintHeader
{
my ($cs, $mt, $headers) = @_;
$mt ||= "text/html";
if ($ENV{'SSL_HSTS'} == 1 && uc($ENV{'HTTPS'}) eq "ON") {
print "Strict-Transport-Security: max-age=31536000;\n";
}
elsif (uc($ENV{'HTTPS'}) ne "ON") {
print "Strict-Transport-Security: max-age=0;\n";
if (uc($ENV{'HTTPS'}) eq "ON") {
if ($ENV{'SSL_HSTS'}) {
print "Strict-Transport-Security: max-age=31536000;\n";
}
else {
print "Strict-Transport-Security: max-age=0;\n";
}
}
if ($pragma_no_cache || $gconfig{'pragma_no_cache'}) {
print "pragma: no-cache\n";