From 67d4afb97ee22faa7a782791e235382b49ffe6f2 Mon Sep 17 00:00:00 2001
From: Erwan MATHIEU <erwan.mathieu@ultimaker.com>
Date: Fri, 14 Mar 2025 12:00:24 +0100
Subject: [PATCH] Use HSTS for local OAuth2 callback server

CURA-12458
This prevents possible man-in-the-middle attacks from within the user PC. Not very likely, but still a good practice.
---
 cura/OAuth2/AuthorizationRequestHandler.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cura/OAuth2/AuthorizationRequestHandler.py b/cura/OAuth2/AuthorizationRequestHandler.py
index 9affee9911..5263cb8c2d 100644
--- a/cura/OAuth2/AuthorizationRequestHandler.py
+++ b/cura/OAuth2/AuthorizationRequestHandler.py
@@ -127,6 +127,7 @@ class AuthorizationRequestHandler(BaseHTTPRequestHandler):
     def _sendHeaders(self, status: "ResponseStatus", content_type: str, redirect_uri: str = None) -> None:
         self.send_response(status.code, status.message)
         self.send_header("Content-type", content_type)
+        self.send_header("Strict-Transport-Security", "max-age=900")
         if redirect_uri:
             self.send_header("Location", redirect_uri)
         self.end_headers()