mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-06-06 05:04:22 +00:00
refactor(web): gate HSTS at call site so XUI_SKIP_HSTS doesn't drop the Secure cookie flag
isDirectHTTPSConfigured was being reused for both the HSTS middleware and the session cookie's Secure flag (web.go:185). Embedding the env-var check inside it meant setting XUI_SKIP_HSTS=true also stripped Secure from session cookies on a real HTTPS server. Split the concerns: keep isDirectHTTPSConfigured honest (cert/key only) and combine it with the env var at the call site for the HSTS middleware only.
This commit is contained in:
MHSanaei
parent
ef1fa9cc55
commit
46afac8228
1 changed files with 2 additions and 4 deletions
|
|
@ -132,9 +132,6 @@ func NewServer() *Server {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Server) isDirectHTTPSConfigured() bool {
|
func (s *Server) isDirectHTTPSConfigured() bool {
|
||||||
if config.IsSkipHSTS() {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
certFile, certErr := s.settingService.GetCertFile()
|
certFile, certErr := s.settingService.GetCertFile()
|
||||||
keyFile, keyErr := s.settingService.GetKeyFile()
|
keyFile, keyErr := s.settingService.GetKeyFile()
|
||||||
if certErr != nil || keyErr != nil || certFile == "" || keyFile == "" {
|
if certErr != nil || keyErr != nil || certFile == "" || keyFile == "" {
|
||||||
|
|
@ -157,7 +154,8 @@ func (s *Server) initRouter() (*gin.Engine, error) {
|
||||||
|
|
||||||
engine := gin.Default()
|
engine := gin.Default()
|
||||||
directHTTPS := s.isDirectHTTPSConfigured()
|
directHTTPS := s.isDirectHTTPSConfigured()
|
||||||
engine.Use(middleware.SecurityHeadersMiddleware(directHTTPS))
|
sendHSTS := directHTTPS && !config.IsSkipHSTS()
|
||||||
|
engine.Use(middleware.SecurityHeadersMiddleware(sendHSTS))
|
||||||
|
|
||||||
webDomain, err := s.settingService.GetWebDomain()
|
webDomain, err := s.settingService.GetWebDomain()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue