Make HSTS policy configurable if https is enabled (#4462)

kayukin · Konstantin Kayukin · MHSanaei · web-flow · commit 758e1ad05047 · 2026-05-19T14:28:05.000+02:00
* Make HSTS policy configurable if https is enabled

* refactor(web): gate HSTS at call site so XUI_SKIP_HSTS doesn't drop the Secure cookie flag

isDirectHTTPSConfigured was being reused for both the HSTS middleware and
the session cookie's Secure flag (web.go:185). Embedding the env-var
check inside it meant setting XUI_SKIP_HSTS=true also stripped Secure
from session cookies on a real HTTPS server. Split the concerns: keep
isDirectHTTPSConfigured honest (cert/key only) and combine it with the
env var at the call site for the HSTS middleware only.

---------

Co-authored-by: Konstantin Kayukin &lt;t_kkayukin@admarketplace.com&gt;
Co-authored-by: Sanaei &lt;ho3ein.sanaei@gmail.com&gt;
diff --git a/config/config.go b/config/config.go
@@ -57,6 +57,11 @@ func IsDebug() bool {
 	return os.Getenv("XUI_DEBUG") == "true"
 }
 
+// IsSkipHSTS returns true if skipping HSTS mode is enabled via the XUI_SKIP_HSTS environment variable.
+func IsSkipHSTS() bool {
+	return os.Getenv("XUI_SKIP_HSTS") == "true"
+}
+
 // GetBinFolderPath returns the path to the binary folder, defaulting to "bin" if not set via XUI_BIN_FOLDER.
 func GetBinFolderPath() string {
 	binFolderPath := os.Getenv("XUI_BIN_FOLDER")
diff --git a/web/web.go b/web/web.go
@@ -154,7 +154,8 @@ func (s *Server) initRouter() (*gin.Engine, error) {
 
 	engine := gin.Default()
 	directHTTPS := s.isDirectHTTPSConfigured()
-	engine.Use(middleware.SecurityHeadersMiddleware(directHTTPS))
+	sendHSTS := directHTTPS && !config.IsSkipHSTS()
+	engine.Use(middleware.SecurityHeadersMiddleware(sendHSTS))
 
 	webDomain, err := s.settingService.GetWebDomain()
 	if err != nil {
