Hi,
RFC 6797 says:
An HSTS Host MUST NOT include the STS header field in HTTP responses
conveyed over non-secure transport.
Is this the correct check? With this I get what I expect: HSTS headers
over TLS, and no HSTS headers over unencrypted HTTP.
Index: server_fcgi.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
retrieving revision 1.76
diff -u -p -r1.76 server_fcgi.c
--- server_fcgi.c 19 May 2018 13:56:56 -0000 1.76
+++ server_fcgi.c 15 Oct 2018 01:30:28 -0000
@@ -655,7 +655,7 @@ server_fcgi_header(struct client *clt, u
return (-1);
/* HSTS header */
- if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
+ if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
if ((cl =
kv_add(&resp->http_headers, "Strict-Transport-Security",
NULL)) == NULL ||
Index: server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.125
diff -u -p -r1.125 server_http.c
--- server_http.c 11 Oct 2018 09:52:22 -0000 1.125
+++ server_http.c 15 Oct 2018 01:30:28 -0000
@@ -950,7 +950,7 @@ server_abort_http(struct client *clt, un
goto done;
}
- if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
+ if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
if (asprintf(&hstsheader, "Strict-Transport-Security: "
"max-age=%d%s%s\r\n", srv_conf->hsts_max_age,
srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ?
@@ -1452,7 +1452,7 @@ server_response_http(struct client *clt,
return (-1);
/* HSTS header */
- if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
+ if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) {
if ((cl =
kv_add(&resp->http_headers, "Strict-Transport-Security",
NULL)) == NULL ||
