-
Notifications
You must be signed in to change notification settings - Fork 367
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Import Strict-Transport-Security (hsts) middleware
This imports the [hsts package][0] into this repo as part of my effort to make Helmet a monorepo. You can find its prior history in the old repo. Similar to: * f98ff72 which imported `x-xss-protection` * df561bb which imported `helmet-csp` * 936cd27 which imported `referrer-policy` * 141f131 which imported `crossdomain` * ff12fb7 which imported `dont-sniff-mimetype` * 2b64d11 which imported `hide-powered-by` * 7906601 which imported `frameguard` * d03c555 which imported `expect-ct` * e933c28 which imported `dns-prefetch-control` * 13b496f which imported `ienoopen` [0]: https://github.com/helmetjs/hsts
- Loading branch information
Showing
13 changed files
with
311 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# Changelog | ||
|
||
## 3.0.0 - Unreleased | ||
|
||
### Added | ||
|
||
- TypeScript type definitions. See [#25](https://github.com/helmetjs/hsts/pull/25) | ||
|
||
### Removed | ||
|
||
- Dropped support for `includeSubdomains` with a lowercase D. See [#231](https://github.com/helmetjs/helmet/issues/231) | ||
- Dropped support for `setIf`. [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Conditionally-using-middleware). See [#232](https://github.com/helmetjs/helmet/issues/232) | ||
- Dropped support for old Node versions. Node 10+ is now required | ||
|
||
## 2.2.0 - 2019-03-10 | ||
|
||
### Added | ||
|
||
- Created a changelog | ||
|
||
### Changed | ||
|
||
- Mark the module as Node 4+ in the `engines` field of `package.json` | ||
- Add a `homepage` in `package.json` | ||
- Add an email to `package.json`'s `bugs` field | ||
- Updated documentation | ||
- Updated Adam Baldwin's contact info. See [helmetjs/helmet#189](https://github.com/helmetjs/helmet/issues/189) | ||
|
||
### Deprecated | ||
|
||
- The `setIf` option has been deprecated and will be removed in `hsts@3`. Refer to the documentation to see how to do without it. See [#22](https://github.com/helmetjs/hsts/issues/22) for more | ||
- The `includeSubdomains` option (with a lowercase `d`) has been deprecated and will be removed in `hsts@3`. Use the uppercase-D `includeSubDomains` option instead. See [#21](https://github.com/helmetjs/hsts/issues/21) for more | ||
|
||
Changes in versions 2.1.0 and below can be found in [Helmet's changelog](https://github.com/helmetjs/helmet/blob/master/CHANGELOG.md). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# HTTP Strict Transport Security middleware | ||
|
||
This middleware adds the `Strict-Transport-Security` header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". ([See the spec](http://tools.ietf.org/html/rfc6797) for more.) Note that the header won't tell users on HTTP to _switch_ to HTTPS, it will just tell HTTPS users to stick around. You can enforce HTTPS with the [express-enforces-ssl](https://github.com/aredo/express-enforces-ssl) module. | ||
|
||
This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next 180 days: | ||
|
||
```javascript | ||
const strictTransportSecurity = require("hsts"); | ||
|
||
// Sets "Strict-Transport-Security: max-age=15552000; includeSubDomains" | ||
app.use( | ||
strictTransportSecurity({ | ||
maxAge: 15552000, // 180 days in seconds | ||
}) | ||
); | ||
``` | ||
|
||
Note that the max age must be in seconds. | ||
|
||
The `includeSubDomains` directive is present by default. If this header is set on _example.com_, supported browsers will also use HTTPS on _my-subdomain.example.com_. You can disable this: | ||
|
||
```javascript | ||
app.use( | ||
strictTransportSecurity({ | ||
maxAge: 15552000, | ||
includeSubDomains: false, | ||
}) | ||
); | ||
``` | ||
|
||
Some browsers let you submit your site's HSTS to be baked into the browser. You can add `preload` to the header with the following code. You can check your eligibility and submit your site at [hstspreload.org](https://hstspreload.org/). | ||
|
||
```javascript | ||
app.use( | ||
strictTransportSecurity({ | ||
maxAge: 31536000, // Must be at least 1 year to be approved | ||
includeSubDomains: true, // Must be enabled to be approved | ||
preload: true, | ||
}) | ||
); | ||
``` | ||
|
||
[The header is ignored in insecure HTTP](https://tools.ietf.org/html/rfc6797#section-8.1), so it's safe to set in development. | ||
|
||
This header is [somewhat well-supported by browsers](https://caniuse.com/#feat=stricttransportsecurity). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
import { IncomingMessage, ServerResponse } from "http"; | ||
|
||
const DEFAULT_MAX_AGE = 180 * 24 * 60 * 60; | ||
|
||
export interface StrictTransportSecurityOptions { | ||
maxAge?: number; | ||
includeSubDomains?: boolean; | ||
preload?: boolean; | ||
} | ||
|
||
function parseMaxAge(value: void | number): number { | ||
if (value === undefined) { | ||
return DEFAULT_MAX_AGE; | ||
} else if ( | ||
typeof value === "number" && | ||
value >= 0 && | ||
Number.isFinite(value) | ||
) { | ||
return Math.floor(value); | ||
} else { | ||
throw new Error( | ||
`Strict-Transport-Security: ${JSON.stringify( | ||
value | ||
)} is not a valid value for maxAge. Please choose a positive integer.` | ||
); | ||
} | ||
} | ||
|
||
function getHeaderValueFromOptions( | ||
options: Readonly<StrictTransportSecurityOptions> | ||
): string { | ||
if ("maxage" in options) { | ||
throw new Error( | ||
'maxage is not a supported property. Did you mean to pass "maxAge" instead of "maxage"?' | ||
); | ||
} | ||
if ("includeSubdomains" in options) { | ||
console.warn( | ||
'Strict-Transport-Security middleware should use `includeSubDomains` instead of `includeSubdomains`. (The correct one has an uppercase "D".)' | ||
); | ||
} | ||
if ("setIf" in options) { | ||
console.warn( | ||
"Strict-Transport-Security middleware no longer supports the `setIf` parameter. See the documentation and <https://github.com/helmetjs/helmet/wiki/Conditionally-using-middleware> if you need help replicating this behavior." | ||
); | ||
} | ||
|
||
const directives: string[] = [`max-age=${parseMaxAge(options.maxAge)}`]; | ||
|
||
if (options.includeSubDomains === undefined || options.includeSubDomains) { | ||
directives.push("includeSubDomains"); | ||
} | ||
|
||
if (options.preload) { | ||
directives.push("preload"); | ||
} | ||
|
||
return directives.join("; "); | ||
} | ||
|
||
function strictTransportSecurity( | ||
options: Readonly<StrictTransportSecurityOptions> = {} | ||
) { | ||
const headerValue = getHeaderValueFromOptions(options); | ||
|
||
return function strictTransportSecurityMiddleware( | ||
_req: IncomingMessage, | ||
res: ServerResponse, | ||
next: () => void | ||
) { | ||
res.setHeader("Strict-Transport-Security", headerValue); | ||
next(); | ||
}; | ||
} | ||
|
||
module.exports = strictTransportSecurity; | ||
export default strictTransportSecurity; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
["index.js", "index.d.ts"] |
13 changes: 13 additions & 0 deletions
13
middlewares/strict-transport-security/package-overrides.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
{ | ||
"name": "hsts", | ||
"description": "HTTP Strict Transport Security middleware", | ||
"version": "2.2.0", | ||
"keywords": [ | ||
"express", | ||
"security", | ||
"hsts", | ||
"strict-transport-security", | ||
"https" | ||
], | ||
"homepage": "https://helmetjs.github.io/docs/hsts/" | ||
} |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.