From e3952674ba66511ae6b04d2835cf25ccebbf6290 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Wed, 15 Jan 2020 19:32:14 -0500
Subject: [PATCH] fix: hsts always enabled

---
 src/webserver.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/webserver.js b/src/webserver.js
index 54e09e5424..dc506c45ff 100644
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -164,7 +164,9 @@ function setupExpressApp(app) {
 		saveUninitialized: nconf.get('sessionSaveUninitialized') || false,
 	}));
 
-	app.use(helmet());
+	app.use(helmet({
+		hsts: !!meta.config['hsts-enabled'],
+	}));
 	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
 	if (meta.config['hsts-enabled']) {
 		app.use(helmet.hsts({