Either use or don't use HTTPS

The risk of injection attacks using HTTP is too great to allow a
site that allows both HTTP and HTTPS...

plugins/StrictTransportSecurity/README

@@ -7,7 +7,7 @@ add "addPlugin('strictTransportSecurity');"
 to the bottom of your config.php
 
 The plugin will not do anything unless:
-$config['site']['ssl'] is set to 'always'
+$config['site']['ssl'] is set to something other than 'never'
 $config['site']['path'] is either not set, empty, or '/'
 
 Settings

plugins/StrictTransportSecurity/StrictTransportSecurityPlugin.php

@@ -43,7 +43,7 @@ class StrictTransportSecurityPlugin extends Plugin
     function onArgsInitialize($args)
     {
         $path = common_config('site', 'path');
-        if(common_config('site', 'ssl') == 'always' && ($path == '/' || ! $path )) {
+        if (GNUsocial::useHTTPS() && ($path == '/' || mb_strlen($path)==0 )) {
             header('Strict-Transport-Security: max-age=' . $this->max_age
                     . ($this->includeSubDomains ? '; includeSubDomains' : '')
                     . ($this->preloadToken ? '; preload' : ''));