.gitea/workflows/nightly.yml

@@ -107,7 +107,11 @@ jobs:
           RESOLVE="--resolve $HOST:443:127.0.0.1"
           echo "Smoke test: $URL (pinned to 127.0.0.1)"
           curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null
-          curl -fsS $RESOLVE --max-time 10 -I "$URL/" | grep -qi 'strict-transport-security'
+          # Pin the preload-list-eligible HSTS value, not just header presence:
+          # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must
+          # fail this check rather than pass it silently.
+          curl -fsS $RESOLVE --max-time 10 -I "$URL/" \
+            | grep -Eqi 'strict-transport-security:[[:space:]]*max-age=31536000.*includeSubDomains.*preload'
           status=$(curl -s $RESOLVE -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health")
           [ "$status" = "404" ] || { echo "expected 404 from /actuator/health, got $status"; exit 1; }
           echo "All smoke checks passed"

.gitea/workflows/release.yml

@@ -101,7 +101,11 @@ jobs:
           RESOLVE="--resolve $HOST:443:127.0.0.1"
           echo "Smoke test: $URL (pinned to 127.0.0.1)"
           curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null
-          curl -fsS $RESOLVE --max-time 10 -I "$URL/" | grep -qi 'strict-transport-security'
+          # Pin the preload-list-eligible HSTS value, not just header presence:
+          # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must
+          # fail this check rather than pass it silently.
+          curl -fsS $RESOLVE --max-time 10 -I "$URL/" \
+            | grep -Eqi 'strict-transport-security:[[:space:]]*max-age=31536000.*includeSubDomains.*preload'
           status=$(curl -s $RESOLVE -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health")
           [ "$status" = "404" ] || { echo "expected 404 from /actuator/health, got $status"; exit 1; }
           echo "All smoke checks passed"