From 6d52a6970ccc756c7899170e6d0d00a26ef79bf0 Mon Sep 17 00:00:00 2001
From: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Date: Fri, 13 Mar 2026 09:06:21 +0100
Subject: [PATCH] feat: add hsts header for omni frontend

Add HSTS (Strict-Transport-Security) response header to the frontend

Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
---
 internal/frontend/handler.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/internal/frontend/handler.go b/internal/frontend/handler.go
index da600750..362c8574 100644
--- a/internal/frontend/handler.go
+++ b/internal/frontend/handler.go
@@ -110,6 +110,9 @@ func (handler *StaticHandler) serveFile(w http.ResponseWriter, r *http.Request,
 
 		defer file.Close() //nolint:errcheck
 
+		w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+
 		if path != index {
 			w.Header().Set("Vary", "Accept-Encoding, User-Agent")
 			w.Header().Set("Cache-Control", fmt.Sprintf("public, max-age=%d, immutable", handler.maxAgeSec))
@@ -143,7 +146,6 @@ func (handler *StaticHandler) serveFile(w http.ResponseWriter, r *http.Request,
 			)
 
 			w.Header().Set("X-Frame-Options", "SAMEORIGIN")
-			w.Header().Set("X-Content-Type-Options", "nosniff")
 			w.Header().Set("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), "+
 				"autoplay=(self), battery=(), camera=(), cross-origin-isolated=(self), display-capture=(), "+
 				"document-domain=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), "+