Added redirect policy which takes HSTS into account, so that even if …

…the location would go from HTTPs to HTTP it would follow to HTTPs if an HTSTS header is present
secinto · Aug 31, 2023 · c4810ff · c4810ff
1 parent 2ad958c
commit c4810ff
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/common/httpx/httpx.go b/common/httpx/httpx.go
@@ -75,6 +75,17 @@ func New(options *Options) (*HTTPX, error) {
 		redirectFunc = func(redirectedRequest *http.Request, previousRequests []*http.Request) error {
 			// add custom cookies if necessary
 			httpx.setCustomCookies(redirectedRequest)
+
+			location := redirectedRequest.Response.Header.Get("Location")
+			hsts := redirectedRequest.Response.Header.Get("Strict-Transport-Security")
+			url, err := redirectedRequest.URL.Parse(location)
+			if err != nil {
+			} else {
+				if url.Scheme == "http" && hsts != "" {
+					url.Scheme = "https"
+				}
+			}
+			redirectedRequest.URL = url
 			if len(previousRequests) >= options.MaxRedirects {
 				// https://github.com/golang/go/issues/10069
 				return http.ErrUseLastResponse