LabKey · labkey-jeckels · Dec 22, 2024 · Dec 21, 2024 · Dec 21, 2024 · Dec 21, 2024
diff --git a/api/src/org/labkey/api/security/AuthFilter.java b/api/src/org/labkey/api/security/AuthFilter.java
@@ -126,7 +126,8 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         }
 
         // No startup failure, so check for SSL redirection
-        if (!req.getScheme().equalsIgnoreCase("https") && AppProps.getInstance().isSSLRequired())
+        boolean sslRequired = AppProps.getInstance().isSSLRequired();
+        if (!req.getScheme().equalsIgnoreCase("https") && sslRequired)
         {
             // We can't redirect posts (we'll lose the post body), so return an error code
             if ("post".equalsIgnoreCase(req.getMethod()))
@@ -164,6 +165,11 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
             return;
         }
 
+        if (sslRequired)
+        {
+            resp.setHeader("Strict-Transport-Security", "max-age=31536000");
+        }
+
         // allow CSRFUtil early access to req/resp if it wants to write cookies
         CSRFUtil.getExpectedToken(req, resp);