Add option to enable/disable HSTS

Also fix HSTS middleware being added twice.

public/language/en-GB/admin/settings/advanced.json

@@ -13,9 +13,10 @@
 	"headers.acam": "Access-Control-Allow-Methods",
 	"headers.acah": "Access-Control-Allow-Headers",
 	"hsts": "Strict Transport Security",
+	"hsts.enabled": "Enabled HSTS (recommended)",
 	"hsts.subdomains": "Include subdomains in HSTS header",
 	"hsts.preload": "Allow preloading of HSTS header",
-	"hsts.help": "An HSTS header is already pre-configured for this site. You can elect to include subdomains and preloading flags in your header. If in doubt, you can leave these unchecked. <a href=\"%1\">More information <i class=\"fa fa-external-link\"></i></a>",
+	"hsts.help": "If enabled, an HSTS header will be set for this site. You can elect to include subdomains and preloading flags in your header. If in doubt, you can leave these unchecked. <a href=\"%1\">More information <i class=\"fa fa-external-link\"></i></a>",
 	"traffic-management": "Traffic Management",
 	"traffic.help": "NodeBB deploys equipped with a module that automatically denies requests in high-traffic situations. You can tune these settings here, although the defaults are a good starting point.",
 	"traffic.enable": "Enable Traffic Management",

src/views/admin/settings/advanced.tpl

@@ -67,6 +67,12 @@
 	<div class="col-sm-2 col-xs-12 settings-header">[[admin/settings/advanced:hsts]]</div>
 	<div class="col-sm-10 col-xs-12">
 		<form>
+			<div class="checkbox">
+				<label class="mdl-switch mdl-js-switch mdl-js-ripple-effect">
+					<input class="mdl-switch__input" type="checkbox" data-field="hsts-enabled" checked>
+					<span class="mdl-switch__label"><strong>[[admin/settings/advanced:hsts.enabled]]</strong></span>
+				</label>
+			</div>
 			<div class="form-group">
 				<label for="hsts-maxage">[[admin/settings/advanced:hsts.maxAge]]</label>
 				<input class="form-control" id="hsts-maxage" type="number" placeholder="31536000" data-field="hsts-maxage" /><br />

src/webserver.js

@@ -185,13 +185,19 @@ function setupExpressApp(app, callback) {
 		saveUninitialized: true,
 	}));
 
-	app.use(helmet());
-	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
-	app.use(helmet.hsts({
+	var hsts_option = {
 		maxAge: parseInt(meta.config['hsts-maxage'], 10) || 31536000,
 		includeSubdomains: !!parseInt(meta.config['hsts-subdomains'], 10),
 		preload: !!parseInt(meta.config['hsts-preload'], 10),
+		setIf: function () {
+			// If not set, default to on - previous and recommended behavior
+			return meta.config['hsts-enabled'] === undefined || !!parseInt(meta.config['hsts-enabled'], 10);
+		},
+	};
+	app.use(helmet({
+		hsts: hsts_option,
 	}));
+	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
 	app.use(middleware.addHeaders);
 	app.use(middleware.processRender);
 	auth.initialize(app, middleware);