From 3cccbbc1f2229b7da793acce87ab9f7adb41ab74 Mon Sep 17 00:00:00 2001
From: Jimb Esser <wasteland@gmail.com>
Date: Mon, 6 Aug 2018 18:24:57 -0700
Subject: [PATCH] Add option to enable/disable HSTS Also fix HSTS middleware
 being added twice.

---
 public/language/en-GB/admin/settings/advanced.json |  3 ++-
 src/views/admin/settings/advanced.tpl              |  6 ++++++
 src/webserver.js                                   | 12 +++++++++---
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/public/language/en-GB/admin/settings/advanced.json b/public/language/en-GB/admin/settings/advanced.json
index e4070ab7be..f989898d05 100644
--- a/public/language/en-GB/admin/settings/advanced.json
+++ b/public/language/en-GB/admin/settings/advanced.json
@@ -13,9 +13,10 @@
 	"headers.acam": "Access-Control-Allow-Methods",
 	"headers.acah": "Access-Control-Allow-Headers",
 	"hsts": "Strict Transport Security",
+	"hsts.enabled": "Enabled HSTS (recommended)",
 	"hsts.subdomains": "Include subdomains in HSTS header",
 	"hsts.preload": "Allow preloading of HSTS header",
-	"hsts.help": "An HSTS header is already pre-configured for this site. You can elect to include subdomains and preloading flags in your header. If in doubt, you can leave these unchecked. <a href=\"%1\">More information <i class=\"fa fa-external-link\"></i></a>",
+	"hsts.help": "If enabled, an HSTS header will be set for this site. You can elect to include subdomains and preloading flags in your header. If in doubt, you can leave these unchecked. <a href=\"%1\">More information <i class=\"fa fa-external-link\"></i></a>",
 	"traffic-management": "Traffic Management",
 	"traffic.help": "NodeBB deploys equipped with a module that automatically denies requests in high-traffic situations. You can tune these settings here, although the defaults are a good starting point.",
 	"traffic.enable": "Enable Traffic Management",
diff --git a/src/views/admin/settings/advanced.tpl b/src/views/admin/settings/advanced.tpl
index 44d34fa80f..4aec0e51fa 100644
--- a/src/views/admin/settings/advanced.tpl
+++ b/src/views/admin/settings/advanced.tpl
@@ -67,6 +67,12 @@
 	<div class="col-sm-2 col-xs-12 settings-header">[[admin/settings/advanced:hsts]]</div>
 	<div class="col-sm-10 col-xs-12">
 		<form>
+			<div class="checkbox">
+				<label class="mdl-switch mdl-js-switch mdl-js-ripple-effect">
+					<input class="mdl-switch__input" type="checkbox" data-field="hsts-enabled" checked>
+					<span class="mdl-switch__label"><strong>[[admin/settings/advanced:hsts.enabled]]</strong></span>
+				</label>
+			</div>
 			<div class="form-group">
 				<label for="hsts-maxage">[[admin/settings/advanced:hsts.maxAge]]</label>
 				<input class="form-control" id="hsts-maxage" type="number" placeholder="31536000" data-field="hsts-maxage" /><br />
diff --git a/src/webserver.js b/src/webserver.js
index 86a84a1459..b201fd4915 100644
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -185,13 +185,19 @@ function setupExpressApp(app, callback) {
 		saveUninitialized: true,
 	}));
 
-	app.use(helmet());
-	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
-	app.use(helmet.hsts({
+	var hsts_option = {
 		maxAge: parseInt(meta.config['hsts-maxage'], 10) || 31536000,
 		includeSubdomains: !!parseInt(meta.config['hsts-subdomains'], 10),
 		preload: !!parseInt(meta.config['hsts-preload'], 10),
+		setIf: function () {
+			// If not set, default to on - previous and recommended behavior
+			return meta.config['hsts-enabled'] === undefined || !!parseInt(meta.config['hsts-enabled'], 10);
+		},
+	};
+	app.use(helmet({
+		hsts: hsts_option,
 	}));
+	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
 	app.use(middleware.addHeaders);
 	app.use(middleware.processRender);
 	auth.initialize(app, middleware);