Added support for hsts

CHANGELOG.md

@@ -20,10 +20,13 @@ and this project adheres to
 - The ability to put [ClientIDs][clientid] into DNS-over-HTTPS hostnames as
   opposed to URL paths ([#3418]).  Note that AdGuard Home checks the server name
   only if the URL does not contain a ClientID.
+- Support for [HSTS][hsts], if `tls.force_https` is enabled ([#4941]).
 
 [#3418]: https://github.com/AdguardTeam/AdGuardHome/issues/3418
+[#4941]: https://github.com/AdguardTeam/AdGuardHome/pull/4941
 
 [clientid]: https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid
+[hsts]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 
 
 

internal/home/control.go

@@ -320,6 +320,16 @@ func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
 		return false
 	}
 
+	// Add headers for HSTS
+	// This informs browsers that the site should only be accessed using HTTPS,
+	// and that any future attempts to access it using HTTP should automatically be
+	// converted to HTTPS.
+	//
+	// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+	if config.TLS.ForceHTTPS {
+		w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
+	}
+
 	if r.TLS == nil && web.forceHTTPS {
 		hostPort := host
 		if port := web.conf.PortHTTPS; port != defaultPortHTTPS {