Fixed #5341 CSS Styles do not load in ISPConfig UI when no SSL is used
My fault on this one - I feel pretty dumb, not even considering that some folks might run ISPConfig without HTTPS.
The CSP header could still be used on HTTP sites, just remove "; upgrade-insecure-requests" from the end. I don't know how to do that in the template language right offhand (if/else or ??), so just mentioning it for now.
Similarly, the set-cookie header could/should still be set HTTPOnly, just drop off the 'Secure' if running ISPConfig without HTTPS.
FWIW, the HSTS header should be fine as is, it is ignored on HTTP sites.
Hi Jesse, my test servers are using https too, that's why I did not notice it earlier. I'll have a look at this to see if we can modify the options for http systems. But in general, I would say that users should just enable https. I guess we should consider disabling the option to not encrypt the UI in ISPConfig 3.2.