Only send Strict Transport Security Header using https

If AppInventorFeatures.enableHttpRedirect() is false, don't send the Strict-Transport-Security header. Chrome appears to ignore it when it is sent over http instead of https, but I wouldn't want to depend on that behavior! Change-Id: I585fc6164a57d7502b737c4596cbd42b84489dd2

Only send Strict Transport Security Header using https
If AppInventorFeatures.enableHttpRedirect() is false, don't send the Strict-Transport-Security header. Chrome appears to ignore it when it is sent over http instead of https, but I wouldn't want to depend on that behavior! Change-Id: I585fc6164a57d7502b737c4596cbd42b84489dd2
7cde9da3 · Jeffrey I. Schiller · 345c2f76 · 7cde9da3
Unverified Commit 7cde9da3 authored Sep 01, 2023 by Jeffrey I. Schiller
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

appinventor/appengine/war/index.jsp appinventor/appengine/war/index.jsp +3 -1

No files found.
--- a/appinventor/appengine/war/index.jsp
+++ b/appinventor/appengine/war/index.jsp
@@ -13,7 +13,9 @@
        }
     return;
   }
+   if (AppInventorFeatures.enableHttpRedirect()) {
       response.setHeader("Strict-Transport-Security", "max-age=3600");
+   }
 %>
 <!-- Copyright 2007-2009 Google Inc. All Rights Reserved. -->
 <!-- Copyright 2011-2020 Massachusetts Institute of Technology. All Rights Reserved. -->