v0.0.11

Author: dvershinin

CHANGELOG.md

@@ -1,7 +1,18 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
-## [0.0.10] - 2020-05-31
+## [0.0.11] - 2022-03-18
+#### Fixed
+* Sending HSTS header no longer requires building with OpenSSL #12
+* Fixes HSTS preload was not added by default #15
+
+## [0.0.10] - 2022-03-13
+#### Added
+* Ability to opt-out of added `preload` addition for HSTS, using `security_headers_hsts_preload off;`.
+* Remove X-Application-Version header
+* For adding HSTS, check URL protocol instead of connection protocol to be 'https://' #12
+
+## [0.0.9] - 2020-05-31
 ### Changed
 * `X-Content-Type-Options` is now sent for all resources to accomodate Chromium's CORB 
 (see [webhint.io #1221](https://github.com/webhintio/hint/issues/1221)) 

src/ngx_http_security_headers_module.c

@@ -268,18 +268,16 @@ ngx_http_security_headers_filter(ngx_http_request_t *r)
         ngx_set_headers_out_by_search(r, &key, &val);
     }
 
-#if (NGX_HTTP_SSL)
     if (r->schema.len == 5 && ngx_strncmp(r->schema.data, "https", 5) == 0)
     {
         ngx_str_set(&key, "Strict-Transport-Security");
         if (1 == slcf->hsts_preload) {
-            ngx_str_set(&val, "max-age=63072000; includeSubDomains");
-        } else {
             ngx_str_set(&val, "max-age=63072000; includeSubDomains; preload");
+        } else {
+            ngx_str_set(&val, "max-age=63072000; includeSubDomains");
         }
         ngx_set_headers_out_by_search(r, &key, &val);
     }
-#endif
 
     /* Add X-Frame-Options */
     if (r->headers_out.status != NGX_HTTP_NOT_MODIFIED