From cfc339548fcdebcb44c2bca9d1cd5c3893e94a51 Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Mon, 13 Nov 2023 09:21:44 -0700
Subject: [PATCH] core/config: disable strict-transport-security header with
 staging autocert (#4741)

---
 config/options.go      | 2 +-
 config/options_test.go | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/config/options.go b/config/options.go
index 3c780550c..2e25b7aaf 100644
--- a/config/options.go
+++ b/config/options.go
@@ -1155,7 +1155,7 @@ func (o *Options) GetSetResponseHeadersForPolicy(policy *Policy) map[string]stri
 			hdrs[k] = v
 		}
 
-		if !o.HasCertificates() {
+		if !o.HasCertificates() || o.AutocertOptions.UseStaging {
 			delete(hdrs, "Strict-Transport-Security")
 		}
 	}
diff --git a/config/options_test.go b/config/options_test.go
index d8974a864..fbb687ed7 100644
--- a/config/options_test.go
+++ b/config/options_test.go
@@ -979,6 +979,15 @@ func TestOptions_GetSetResponseHeaders(t *testing.T) {
 			"X-XSS-Protection":          "1; mode=block",
 		}, options.GetSetResponseHeaders())
 	})
+	t.Run("autocert-staging", func(t *testing.T) {
+		options := NewDefaultOptions()
+		options.Cert = "CERT"
+		options.AutocertOptions.UseStaging = true
+		assert.Equal(t, map[string]string{
+			"X-Frame-Options":  "SAMEORIGIN",
+			"X-XSS-Protection": "1; mode=block",
+		}, options.GetSetResponseHeaders())
+	})
 	t.Run("disable", func(t *testing.T) {
 		options := NewDefaultOptions()
 		options.SetResponseHeaders = map[string]string{DisableHeaderKey: "1", "x-other": "xyz"}