Use HSTS all the time, unless serving over HTTP
Not serving the HSTS header over HTTP is fairly bad
This commit is contained in:
parent
ef9b100dd1
commit
251d46b43f
3 changed files with 10 additions and 5 deletions
|
@ -19,6 +19,7 @@ Options:
|
|||
-b <auth> --basic-auth=<auth> Enable basic-auth.
|
||||
-i <ips> --ips=<ips> Allowed IP addresses.
|
||||
-l --list-dir List Directory.
|
||||
-s --allow-http Allow connection over HTTP.
|
||||
--opbeat Enable Opbeat.
|
||||
-o --open Open in browser after start.
|
||||
`;
|
||||
|
@ -35,6 +36,7 @@ export default function getArgs() : Options {
|
|||
dirList: rawArgs['--list-dir'],
|
||||
serveDir: rawArgs['<dir>'],
|
||||
opbeat: rawArgs['--opbeat'],
|
||||
open: rawArgs['--open']
|
||||
open: rawArgs['--open'],
|
||||
allowHttp: rawArgs['--allow-http']
|
||||
};
|
||||
}
|
||||
|
|
|
@ -26,10 +26,12 @@ export default function createServer(opts : Options) : express.Application {
|
|||
enforce: false,
|
||||
maxAge: 1000
|
||||
}));
|
||||
app.use(helmet.hsts({
|
||||
maxAge: 5184000,
|
||||
setIf: (req, res) => req.secure,
|
||||
}));
|
||||
|
||||
if (!opts.allowHttp) {
|
||||
app.use(helmet.hsts({
|
||||
maxAge: 5184000
|
||||
}));
|
||||
}
|
||||
|
||||
if (process.env.NODE_ENV !== 'test') {
|
||||
app.use(logging);
|
||||
|
|
|
@ -7,4 +7,5 @@ export interface Options {
|
|||
serveDir: string;
|
||||
opbeat: boolean;
|
||||
open: boolean;
|
||||
allowHttp: boolean;
|
||||
}
|
||||
|
|
Reference in a new issue