Add option to enable/disable HSTS

Also fix HSTS middleware being added twice.

src/webserver.js

@@ -185,13 +185,19 @@ function setupExpressApp(app, callback) {
 		saveUninitialized: true,
 	}));
 
-	app.use(helmet());
-	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
-	app.use(helmet.hsts({
+	var hsts_option = {
 		maxAge: parseInt(meta.config['hsts-maxage'], 10) || 31536000,
 		includeSubdomains: !!parseInt(meta.config['hsts-subdomains'], 10),
 		preload: !!parseInt(meta.config['hsts-preload'], 10),
+		setIf: function () {
+			// If not set, default to on - previous and recommended behavior
+			return meta.config['hsts-enabled'] === undefined || !!parseInt(meta.config['hsts-enabled'], 10);
+		},
+	};
+	app.use(helmet({
+		hsts: hsts_option,
 	}));
+	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
 	app.use(middleware.addHeaders);
 	app.use(middleware.processRender);
 	auth.initialize(app, middleware);