From 2e7fac444f35eeca1817efff43c3bc40a64ff68a Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Thu, 1 Sep 2016 16:30:18 +0200
Subject: [PATCH] Do not set HSTS header

Enabling HTTP Strict-Transport-Security should be a decision made by the
system administrator, and implemented at server level, probably
site-wide and not just for MantisBT's PHP files.

Furthermore, Mantis setting this header causes issues if it is already
set for the server (invalid header), and may have unwanted side effects
as described in #21262.

This reverts the change implemented to resolve issue #12881.

Fixes #21262
---
 core/http_api.php | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/core/http_api.php b/core/http_api.php
index 2e9bd66975..d6c757b423 100644
--- a/core/http_api.php
+++ b/core/http_api.php
@@ -236,10 +236,6 @@ function http_security_headers() {
 		}
 
 		http_csp_emit_header();
-
-		if( http_is_protocol_https() ) {
-			header( 'Strict-Transport-Security: max-age=7776000' );
-		}
 	}
 }