middleware: fix Strict-Transport-Security header (#17644)

fixes #17641
2025-02-25 18:55:37 -06:00 · 2019-06-18 14:24:23 -04:00
parent 401615847c
commit bd08d8ce8e
2 changed files with 37 additions and 4 deletions
--- a/pkg/middleware/middleware.go
+++ b/pkg/middleware/middleware.go
@@ -255,14 +255,14 @@ func AddDefaultResponseHeaders() macaron.Handler {
 // AddSecurityHeaders adds various HTTP(S) response headers that enable various security protections behaviors in the client's browser.
 func AddSecurityHeaders(w macaron.ResponseWriter) {
 	if setting.Protocol == setting.HTTPS && setting.StrictTransportSecurity {
-		strictHeader := "Strict-Transport-Security"
-		w.Header().Add(strictHeader, fmt.Sprintf("max-age=%v", setting.StrictTransportSecurityMaxAge))
+		strictHeaderValues := []string{fmt.Sprintf("max-age=%v", setting.StrictTransportSecurityMaxAge)}
 		if setting.StrictTransportSecurityPreload {
-			w.Header().Add(strictHeader, "preload")
+			strictHeaderValues = append(strictHeaderValues, "preload")
 		}
 		if setting.StrictTransportSecuritySubDomains {
-			w.Header().Add(strictHeader, "includeSubDomains")
+			strictHeaderValues = append(strictHeaderValues, "includeSubDomains")
 		}
+		w.Header().Add("Strict-Transport-Security", strings.Join(strictHeaderValues, "; "))
 	}

 	if setting.ContentTypeProtectionHeader {