Skip to content

fix(middleware): default HSTS header in production#2081

Merged
bpamiri merged 1 commit intodevelopfrom
peter/hsts-default-production
Apr 10, 2026
Merged

fix(middleware): default HSTS header in production#2081
bpamiri merged 1 commit intodevelopfrom
peter/hsts-default-production

Conversation

@bpamiri
Copy link
Copy Markdown
Collaborator

@bpamiri bpamiri commented Apr 10, 2026

Summary

  • SecurityHeaders middleware now auto-defaults Strict-Transport-Security: max-age=31536000; includeSubDomains when environment is production and no explicit HSTS value is provided
  • Adds environment parameter to init() with fallback to application.$wheels.environment so existing users get HSTS protection without config changes
  • Fully backward compatible: non-production environments and empty environment continue to omit HSTS unless explicitly set

Test plan

  • Verify HSTS auto-defaults when environment="production" and no explicit value
  • Verify HSTS is NOT set for development, testing, or empty environment
  • Verify explicit HSTS values override the auto-default in production
  • Verify backward compatibility: no HSTS when no environment param passed
  • All 2672 tests pass locally (Lucee 7 + SQLite), 0 failures

🤖 Generated with Claude Code

@bpamiri @claude
fix(middleware): default hsts header in production environment
e554db2 
SecurityHeaders middleware now auto-defaults Strict-Transport-Security
to "max-age=31536000; includeSubDomains" when the environment is
production and no explicit HSTS value is provided. Falls back to
checking application.$wheels.environment when no environment parameter
is passed, so existing users get HSTS protection without config changes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bpamiri bpamiri merged commit b9df814 into develop Apr 10, 2026
3 checks passed
@bpamiri bpamiri deleted the peter/hsts-default-production branch April 10, 2026 09:36
@bpamiri bpamiri mentioned this pull request Apr 16, 2026
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bpamiri