Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-05 12:44:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

refactor(web): gate HSTS at call site so XUI_SKIP_HSTS doesn't drop the Secure cookie flag

Browse source 
isDirectHTTPSConfigured was being reused for both the HSTS middleware and
the session cookie's Secure flag (web.go:185). Embedding the env-var
check inside it meant setting XUI_SKIP_HSTS=true also stripped Secure
from session cookies on a real HTTPS server. Split the concerns: keep
isDirectHTTPSConfigured honest (cert/key only) and combine it with the
env var at the call site for the HSTS middleware only.
This commit is contained in:
MHSanaei 2026-05-19 14:27:34 +02:00
parent ef1fa9cc55
commit 46afac8228
No known key found for this signature in database
GPG key ID: 7E4060F2FBE5AB7A
1 changed files with 2 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
web/web.go
View file

@ -132,9 +132,6 @@ func NewServer() *Server {
}
func (s *Server) isDirectHTTPSConfigured() bool {
if config.IsSkipHSTS() {
return false
}
certFile, certErr := s.settingService.GetCertFile()
keyFile, keyErr := s.settingService.GetKeyFile()
if certErr != nil || keyErr != nil || certFile == "" || keyFile == "" {
@ -157,7 +154,8 @@ func (s *Server) initRouter() (*gin.Engine, error) {
engine := gin.Default()
directHTTPS := s.isDirectHTTPSConfigured()
engine.Use(middleware.SecurityHeadersMiddleware(directHTTPS))
sendHSTS := directHTTPS && !config.IsSkipHSTS()
engine.Use(middleware.SecurityHeadersMiddleware(sendHSTS))
webDomain, err := s.settingService.GetWebDomain()
if err != nil {