Use HSTS all the time, unless serving over HTTP

Not serving the HSTS header over HTTP is fairly bad

src/cli.ts

@@ -19,6 +19,7 @@ Options:
   -b <auth> --basic-auth=<auth>   Enable basic-auth.
   -i <ips> --ips=<ips>  Allowed IP addresses.
   -l --list-dir  List Directory.
+  -s --allow-http  Allow connection over HTTP.
   --opbeat  Enable Opbeat.
   -o --open  Open in browser after start.
 `;
@@ -35,6 +36,7 @@ export default function getArgs() : Options {
         dirList: rawArgs['--list-dir'],
         serveDir: rawArgs['<dir>'],
         opbeat: rawArgs['--opbeat'],
-        open: rawArgs['--open']
+        open: rawArgs['--open'],
+        allowHttp: rawArgs['--allow-http']
     };
 }

src/server.ts

@@ -26,10 +26,12 @@ export default function createServer(opts : Options) : express.Application {
         enforce: false,
         maxAge: 1000
     }));
-    app.use(helmet.hsts({
-        maxAge: 5184000,
-        setIf: (req, res) => req.secure,
-    }));
+
+    if (!opts.allowHttp) {
+      app.use(helmet.hsts({
+          maxAge: 5184000
+      }));
+    }
 
     if (process.env.NODE_ENV !== 'test') {
         app.use(logging);

src/types/index.ts

@@ -7,4 +7,5 @@ export interface Options {
     serveDir: string;
     opbeat: boolean;
     open: boolean;
+    allowHttp: boolean;
 }