From 46afac822842382b2bf51298b3d33c2185443e86 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Tue, 19 May 2026 14:27:34 +0200
Subject: [PATCH] refactor(web): gate HSTS at call site so XUI_SKIP_HSTS
 doesn't drop the Secure cookie flag

isDirectHTTPSConfigured was being reused for both the HSTS middleware and
the session cookie's Secure flag (web.go:185). Embedding the env-var
check inside it meant setting XUI_SKIP_HSTS=true also stripped Secure
from session cookies on a real HTTPS server. Split the concerns: keep
isDirectHTTPSConfigured honest (cert/key only) and combine it with the
env var at the call site for the HSTS middleware only.
---
 web/web.go | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/web/web.go b/web/web.go
index aa982827..e903a016 100644
--- a/web/web.go
+++ b/web/web.go
@@ -132,9 +132,6 @@ func NewServer() *Server {
 }
 
 func (s *Server) isDirectHTTPSConfigured() bool {
-	if config.IsSkipHSTS() {
-		return false
-	}
 	certFile, certErr := s.settingService.GetCertFile()
 	keyFile, keyErr := s.settingService.GetKeyFile()
 	if certErr != nil || keyErr != nil || certFile == "" || keyFile == "" {
@@ -157,7 +154,8 @@ func (s *Server) initRouter() (*gin.Engine, error) {
 
 	engine := gin.Default()
 	directHTTPS := s.isDirectHTTPSConfigured()
-	engine.Use(middleware.SecurityHeadersMiddleware(directHTTPS))
+	sendHSTS := directHTTPS && !config.IsSkipHSTS()
+	engine.Use(middleware.SecurityHeadersMiddleware(sendHSTS))
 
 	webDomain, err := s.settingService.GetWebDomain()
 	if err != nil {