From 97ef2191fd2d4bb4b44915536c3a9d45dc4c12f8 Mon Sep 17 00:00:00 2001
From: Omar Roth <omarroth@protonmail.com>
Date: Tue, 14 May 2019 08:21:01 -0500
Subject: [PATCH] Add 'hsts' as config option

---
 src/invidious.cr                 | 6 ++++--
 src/invidious/helpers/helpers.cr | 1 +
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/invidious.cr b/src/invidious.cr
index 31b8904e..9956e127 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -193,7 +193,7 @@ before_all do |env|
   env.response.headers["Content-Security-Policy"] = "default-src blob: data: 'self' #{host_url} 'unsafe-inline' 'unsafe-eval'; media-src blob: 'self' #{host_url} https://*.googlevideo.com:443"
   env.response.headers["Referrer-Policy"] = "same-origin"
 
-  if Kemal.config.ssl || config.https_only
+  if (Kemal.config.ssl || config.https_only) && config.hsts
     env.response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
   end
 
@@ -5355,7 +5355,9 @@ if Kemal.config.ssl
         redirect_url += "?#{env.request.query}"
       end
 
-      env.response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
+      if config.hsts
+        env.response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
+      end
       env.response.headers["Location"] = redirect_url
       env.response.status_code = 301
     end
diff --git a/src/invidious/helpers/helpers.cr b/src/invidious/helpers/helpers.cr
index becf54b4..2b843087 100644
--- a/src/invidious/helpers/helpers.cr
+++ b/src/invidious/helpers/helpers.cr
@@ -128,6 +128,7 @@ user: String,
     check_tables:      {type: Bool, default: false},                 # Check table integrity, automatically try to add any missing columns, create tables, etc.
     cache_annotations: {type: Bool, default: false},                 # Cache annotations requested from IA, will not cache empty annotations or annotations that only contain cards
     banner:            {type: String?, default: nil},                # Optional banner to be displayed along top of page for announcements, etc.
+    hsts:              {type: Bool?, default: true},                 # Enables 'Strict-Transport-Security'. Ensure that `domain` and all subdomains are served securely
   })
 end