browserReferrerPolicy = "referrer_policy"

	EnvBrowserCSPPolicy             = "MINIO_BROWSER_CONTENT_SECURITY_POLICY"
	EnvBrowserHSTSSeconds           = "MINIO_BROWSER_HSTS_SECONDS"
	EnvBrowserHSTSIncludeSubdomains = "MINIO_BROWSER_HSTS_INCLUDE_SUB_DOMAINS"
	EnvBrowserHSTSPreload           = "MINIO_BROWSER_HSTS_PRELOAD"
	EnvBrowserReferrerPolicy        = "MINIO_BROWSER_REFERRER_POLICY"
)

// DefaultKVS - default storage class config
var (

	globalBrowserEnabled = true

	// Custom browser redirect URL, not set by default
	// and it is automatically deduced.
	globalBrowserRedirectURL *xnet.URL

	// Disable redirect, default is enabled.
	globalBrowserRedirect bool

	// globalBrowserConfig Browser user configurable settings
	globalBrowserConfig browser.Config

	EnvBrowserRedirect            = "MINIO_BROWSER_REDIRECT" // On by default
	EnvBrowserRedirectURL         = "MINIO_BROWSER_REDIRECT_URL"
	EnvRootDriveThresholdSize     = "MINIO_ROOTDRIVE_THRESHOLD_SIZE"
	EnvRootDiskThresholdSize      = "MINIO_ROOTDISK_THRESHOLD_SIZE" // Deprecated Sep 2023
	EnvBrowserLoginAnimation      = "MINIO_BROWSER_LOGIN_ANIMATION"
	EnvBrowserSessionDuration     = "MINIO_BROWSER_SESSION_DURATION" // Deprecated after November 2023

		Queries("events", "{events:.*}")

	// ListBuckets
	apiRouter.Methods(http.MethodGet).Path(SlashSeparator).
		HandlerFunc(s3APIMiddleware(api.ListBucketsHandler))

	// S3 browser with signature v4 adds '//' for ListBuckets request, so rather
	// than failing with UnknownAPIRequest we simply handle it for now.
	apiRouter.Methods(http.MethodGet).Path(SlashSeparator + SlashSeparator).

		} else {
			globalCacheConfig.Update(cacheCfg)
		}
	case config.BrowserSubSys:
		browserCfg, err := browser.LookupConfig(s[config.BrowserSubSys][config.Default])
		if err != nil {
			errs = append(errs, fmt.Errorf("Unable to apply browser config: %w", err))
		} else {
			globalBrowserConfig.Update(browserCfg)
		}
	case config.ILMSubSys:

			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         RedirectURI,
			Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback` + defaultHelpPostfix(RedirectURI),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         config.Comment,

	if err != nil {
		logger.Fatal(config.ErrInvalidBrowserValue(err), "Invalid MINIO_BROWSER value in environment variable")
	}
	if globalBrowserEnabled {
		if redirectURL := env.Get(config.EnvBrowserRedirectURL, ""); redirectURL != "" {
			u, err := xnet.ParseHTTPURL(redirectURL)
			if err != nil {
				logger.Fatal(err, "Invalid MINIO_BROWSER_REDIRECT_URL value in environment variable")
			}

	apiRouter := initTestAPIEndPoints(obj, []string{"PostPolicy"})

	credentials := globalActiveCred
	bucketName := minioMetaBucket
	objectName := "config/x"

	// This exploit needs browser to be enabled.
	if !globalBrowserEnabled {
		globalBrowserEnabled = true
		defer func() { globalBrowserEnabled = false }()
	}

	// accordingly. Client receives a HTTP error for invalid/unsupported
	// signatures.
	//
	// Validates all incoming requests to have a valid date header.
	setAuthMiddleware,
	// Redirect some pre-defined browser request paths to a static location
	// prefix.
	setBrowserRedirectMiddleware,
	// Adds 'crossdomain.xml' policy middleware to serve legacy flash clients.
	setCrossDomainPolicyMiddleware,

	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		read := r.Method == http.MethodGet || r.Method == http.MethodHead
		// Re-direction is handled specifically for browser requests.
		if !guessIsHealthCheckReq(r) && guessIsBrowserReq(r) && read && globalBrowserRedirect {
			// Fetch the redirect location if any.
			if u := getRedirectLocation(r); u != nil {
				// Employ a temporary re-direct.