From 065bf14e26e0892d2b7bb703d7608a4568e8a141 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Mon, 28 Jun 2021 13:58:40 -0700
Subject: [PATCH] Set strict-transport-security only when trusted cert is in
 use.

---
 webserver.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webserver.js b/webserver.js
index 1ce92691..cae570b0 100644
--- a/webserver.js
+++ b/webserver.js
@@ -5459,7 +5459,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                     'Content-Security-Policy': "default-src 'none'; font-src 'self'; script-src 'self' 'unsafe-inline'" + extraScriptSrc + "; connect-src 'self'" + geourl + selfurl + "; img-src 'self' blob: data:" + geourl + " data:; style-src 'self' 'unsafe-inline'; frame-src 'self' mcrouter:; media-src 'self'; form-action 'self'"
                 };
                 if ((parent.config.settings.allowframing !== true) && (typeof parent.config.settings.allowframing !== 'string')) { headers['X-Frame-Options'] = 'sameorigin'; }
-                if (parent.config.settings.stricttransportsecurity !== false) { if (typeof parent.config.settings.stricttransportsecurity == 'string') { headers['Strict-Transport-Security'] = parent.config.settings.stricttransportsecurity; } else { headers['Strict-Transport-Security'] = 'max-age=63072000'; } }
+                if ((parent.config.settings.stricttransportsecurity !== false) && (obj.isTrustedCert(domain))) { if (typeof parent.config.settings.stricttransportsecurity == 'string') { headers['Strict-Transport-Security'] = parent.config.settings.stricttransportsecurity; } else { headers['Strict-Transport-Security'] = 'max-age=63072000'; } }
                 res.set(headers);
             }