Hi, RFC 6797 says:
An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport. Is this the correct check? With this I get what I expect: HSTS headers over TLS, and no HSTS headers over unencrypted HTTP. Index: server_fcgi.c =================================================================== RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v retrieving revision 1.76 diff -u -p -r1.76 server_fcgi.c --- server_fcgi.c 19 May 2018 13:56:56 -0000 1.76 +++ server_fcgi.c 15 Oct 2018 01:30:28 -0000 @@ -655,7 +655,7 @@ server_fcgi_header(struct client *clt, u return (-1); /* HSTS header */ - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) { + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) { if ((cl = kv_add(&resp->http_headers, "Strict-Transport-Security", NULL)) == NULL || Index: server_http.c =================================================================== RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v retrieving revision 1.125 diff -u -p -r1.125 server_http.c --- server_http.c 11 Oct 2018 09:52:22 -0000 1.125 +++ server_http.c 15 Oct 2018 01:30:28 -0000 @@ -950,7 +950,7 @@ server_abort_http(struct client *clt, un goto done; } - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) { + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) { if (asprintf(&hstsheader, "Strict-Transport-Security: " "max-age=%d%s%s\r\n", srv_conf->hsts_max_age, srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ? @@ -1452,7 +1452,7 @@ server_response_http(struct client *clt, return (-1); /* HSTS header */ - if (srv_conf->flags & SRVFLAG_SERVER_HSTS) { + if (srv_conf->flags & SRVFLAG_SERVER_HSTS && clt->clt_tls_ctx != NULL) { if ((cl = kv_add(&resp->http_headers, "Strict-Transport-Security", NULL)) == NULL ||