closes #6613

src/webserver.js

@@ -195,6 +195,11 @@ function setupExpressApp(app, callback) {
 
 	app.use(helmet());
 	app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
+	app.use(helmet.hsts({
+		maxAge: parseInt(meta.config['hsts-maxage'], 10) || 31536000,
+		includeSubdomains: !!parseInt(meta.config['hsts-subdomains'], 10),
+		preload: !!parseInt(meta.config['hsts-preload'], 10),
+	}));
 	app.use(middleware.addHeaders);
 	app.use(middleware.processRender);
 	auth.initialize(app, middleware);