Use HSTS all the time, unless serving over HTTP

Not serving the HSTS header over HTTP is fairly bad
This commit is contained in:
Jake Howard 2018-01-17 20:31:12 +00:00
parent ef9b100dd1
commit 251d46b43f
Signed by: jake
GPG key ID: 57AFB45680EDD477
3 changed files with 10 additions and 5 deletions

View file

@ -19,6 +19,7 @@ Options:
-b <auth> --basic-auth=<auth> Enable basic-auth.
-i <ips> --ips=<ips> Allowed IP addresses.
-l --list-dir List Directory.
-s --allow-http Allow connection over HTTP.
--opbeat Enable Opbeat.
-o --open Open in browser after start.
`;
@ -35,6 +36,7 @@ export default function getArgs() : Options {
dirList: rawArgs['--list-dir'],
serveDir: rawArgs['<dir>'],
opbeat: rawArgs['--opbeat'],
open: rawArgs['--open']
open: rawArgs['--open'],
allowHttp: rawArgs['--allow-http']
};
}

View file

@ -26,10 +26,12 @@ export default function createServer(opts : Options) : express.Application {
enforce: false,
maxAge: 1000
}));
app.use(helmet.hsts({
maxAge: 5184000,
setIf: (req, res) => req.secure,
}));
if (!opts.allowHttp) {
app.use(helmet.hsts({
maxAge: 5184000
}));
}
if (process.env.NODE_ENV !== 'test') {
app.use(logging);

View file

@ -7,4 +7,5 @@ export interface Options {
serveDir: string;
opbeat: boolean;
open: boolean;
allowHttp: boolean;
}