3x-ui

mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-06 05:04:22 +00:00

History

MHSanaei 46afac8228 refactor(web): gate HSTS at call site so XUI_SKIP_HSTS doesn't drop the Secure cookie flag isDirectHTTPSConfigured was being reused for both the HSTS middleware and the session cookie's Secure flag (web.go:185). Embedding the env-var check inside it meant setting XUI_SKIP_HSTS=true also stripped Secure from session cookies on a real HTTPS server. Split the concerns: keep isDirectHTTPSConfigured honest (cert/key only) and combine it with the env var at the call site for the HSTS middleware only.		2026-05-19 14:27:34 +02:00
..
controller	Feat/multi inbound clients (#4469 )	2026-05-19 12:20:24 +02:00
entity	Feat/multi inbound clients (#4469 )	2026-05-19 12:20:24 +02:00
global	Feat/multi inbound clients (#4469 )	2026-05-19 12:20:24 +02:00
job	Feat/multi inbound clients (#4469 )	2026-05-19 12:20:24 +02:00
locale	v3	2026-05-10 02:13:42 +02:00
middleware	Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275 )	2026-05-13 12:52:52 +02:00
network	docs: add comments for all functions	2025-09-20 09:35:50 +02:00
runtime	Feat/multi inbound clients (#4469 )	2026-05-19 12:20:24 +02:00
service	fix(security): redact at source and cap marshal sizes for CodeQL	2026-05-19 12:48:01 +02:00
session	Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275 )	2026-05-13 12:52:52 +02:00
translation	Feat/multi inbound clients (#4469 )	2026-05-19 12:20:24 +02:00
websocket	fix(websocket): order register/unregister via single ops channel	2026-05-19 12:34:53 +02:00
web.go	refactor(web): gate HSTS at call site so XUI_SKIP_HSTS doesn't drop the Secure cookie flag	2026-05-19 14:27:34 +02:00