From f416b3323a440bb9ba6b129b29a014f38e72be11 Mon Sep 17 00:00:00 2001
From: Lucas Garron <lgarron@chromium.org>
Date: Tue, 2 May 2023 18:38:49 -0700
Subject: [PATCH] Output a `curl` command for debugging.

Experimentation for https://github.com/chromium/hstspreload.org/issues/215
---
 response.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/response.go b/response.go
index 41105c4..c5cc989 100644
--- a/response.go
+++ b/response.go
@@ -2,6 +2,7 @@ package hstspreload
 
 import (
 	"errors"
+	"fmt"
 	"net/http"
 	"net/url"
 )
@@ -12,10 +13,14 @@ func checkSingleHeader(resp *http.Response) (header *string, issues Issues) {
 
 	switch {
 	case len(hstsHeaders) == 0:
+		curlInfo := ""
+		if resp.Request != nil {
+			curlInfo = fmt.Sprintf(" Check that the following terminal command outputs `Strict-Transport-Security`: curl -I \"%v\"", resp.Request.URL)
+		}
 		return nil, issues.addErrorf(
 			"response.no_header",
 			"No HSTS header",
-			"Response error: No HSTS header is present on the response.")
+			"Response error: No HSTS header is present on the response.%s", curlInfo)
 
 	case len(hstsHeaders) > 1:
 		// TODO: Give feedback on the first(last?) HSTS header?