HSTS will add the strict-transport-security header if enabled. This header forces a browser to always use https for the domain after it loads https once. Meaning: On first load of product.coder.com, they are redirected to https. On all subsequent loads, the client's local browser forces https. This
(next http.Handler, cfg HSTSConfig)
| 61 | // Full header example: |
| 62 | // Strict-Transport-Security: max-age=63072000; includeSubDomains; preload |
| 63 | func HSTS(next http.Handler, cfg HSTSConfig) http.Handler { |
| 64 | if cfg.HeaderValue == "" { |
| 65 | // No header, so no need to wrap the handler. |
| 66 | return next |
| 67 | } |
| 68 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| 69 | w.Header().Set(hstsHeader, cfg.HeaderValue) |
| 70 | next.ServeHTTP(w, r) |
| 71 | }) |
| 72 | } |