feat: support STSPreload

// If STSPreload is set to true, the `; preload` will be appended to the // Strict-Transport-Security header. Default is false. // Note that removal is non-trivial and enabling this means you need to // support https long-term. See https://hstspreload.org/ for more info.
gin-contrib · May 5, 2024 · e944b63 · e944b63
1 parent 645b4bb
commit e944b63
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/policy.go b/policy.go
@@ -67,7 +67,9 @@ func (p *policy) loadConfig(config Config) {
 		if config.STSIncludeSubdomains {
 			stsSub = "; includeSubdomains"
 		}
-
+                if config.STSPreload {
+			stsSub = "; preload"
+		}
 		// TODO
 		// "max-age=%d%s" refactor
 		p.addHeader(

diff --git a/secure.go b/secure.go
@@ -22,6 +22,11 @@ type Config struct {
 	// If STSIncludeSubdomains is set to true, the `includeSubdomains` will
 	// be appended to the Strict-Transport-Security header. Default is false.
 	STSIncludeSubdomains bool
+        // If STSPreload is set to true, the `; preload` will be appended to the
+        // Strict-Transport-Security header. Default is false.
+        // Note that removal is non-trivial and enabling this means you need to
+        // support https long-term. See https://hstspreload.org/ for more info.
+        STSPreload bool
 	// If FrameDeny is set to true, adds the X-Frame-Options header with
 	// the value of `DENY`. Default is false.
 	FrameDeny bool
@@ -75,6 +80,7 @@ func DefaultConfig() Config {
 		IsDevelopment:         false,
 		STSSeconds:            315360000,
 		STSIncludeSubdomains:  true,
+		STSPreload:            true,
 		FrameDeny:             true,
 		ContentTypeNosniff:    true,
 		BrowserXssFilter:      true,