From 8eabc1108ae27092458bc7e0dc560ebcd14c545d Mon Sep 17 00:00:00 2001 From: Ciprian Dorin Craciun Date: Thu, 16 Dec 2021 17:45:16 +0200 Subject: [PATCH] [server] Update security headers flag interpretation. --- sources/cmd/server/server.go | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/sources/cmd/server/server.go b/sources/cmd/server/server.go index 95955e4..d0661a8 100644 --- a/sources/cmd/server/server.go +++ b/sources/cmd/server/server.go @@ -332,17 +332,15 @@ func (_server *server) Serve (_context *fasthttp.RequestCtx) () { return } + if _server.securityHeadersTls { + _responseHeaders.AddBytesKV (StringToBytes ("Strict-Transport-Security"), StringToBytes ("max-age=31536000")) + _responseHeaders.AddBytesKV (StringToBytes ("Content-Security-Policy"), StringToBytes ("upgrade-insecure-requests")) + } if _server.securityHeadersEnabled { - if _server.securityHeadersTls { - _responseHeaders.AddBytesKV (StringToBytes ("Strict-Transport-Security"), StringToBytes ("max-age=31536000")) - _responseHeaders.AddBytesKV (StringToBytes ("Content-Security-Policy"), StringToBytes ("upgrade-insecure-requests")) - } - { - _responseHeaders.AddBytesKV (StringToBytes ("Referrer-Policy"), StringToBytes ("strict-origin-when-cross-origin")) - _responseHeaders.AddBytesKV (StringToBytes ("X-Content-Type-Options"), StringToBytes ("nosniff")) - _responseHeaders.AddBytesKV (StringToBytes ("X-XSS-Protection"), StringToBytes ("1; mode=block")) - _responseHeaders.AddBytesKV (StringToBytes ("X-Frame-Options"), StringToBytes ("sameorigin")) - } + _responseHeaders.AddBytesKV (StringToBytes ("Referrer-Policy"), StringToBytes ("strict-origin-when-cross-origin")) + _responseHeaders.AddBytesKV (StringToBytes ("X-Content-Type-Options"), StringToBytes ("nosniff")) + _responseHeaders.AddBytesKV (StringToBytes ("X-XSS-Protection"), StringToBytes ("1; mode=block")) + _responseHeaders.AddBytesKV (StringToBytes ("X-Frame-Options"), StringToBytes ("sameorigin")) } if _server.debug {