go-vela · wass3r · May 25, 2022 · Feb 23, 2022 · Mar 10, 2022 · Mar 16, 2022
diff --git a/router/middleware/header.go b/router/middleware/header.go
@@ -51,12 +51,9 @@ func Secure(c *gin.Context) {
 	c.Header("X-Frame-Options", "DENY")
 	c.Header("X-Content-Type-Options", "nosniff")
 	c.Header("X-XSS-Protection", "1; mode=block")
-
-	// Also consider adding Content-Security-Policy headers
+	// TODO: consider adding Content-Security-Policy headers
 	// c.Header("Content-Security-Policy", "script-src 'self' https://cdnjs.cloudflare.com")
-	if c.Request.TLS != nil {
-		c.Header("Strict-Transport-Security", "max-age=31536000")
-	}
+	c.Header("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload")
 }
 
 // Cors is a middleware function that appends headers for

diff --git a/router/middleware/header_test.go b/router/middleware/header_test.go
@@ -267,7 +267,7 @@ func TestMiddleware_Secure_TLS(t *testing.T) {
 	wantFrameOptions := "DENY"
 	wantContentTypeOptions := "nosniff"
 	wantProtection := "1; mode=block"
-	wantSecurity := "max-age=31536000"
+	wantSecurity := "max-age=63072000; includeSubDomains; preload"
 
 	// setup context
 	gin.SetMode(gin.TestMode)