Use HSTS all the time, unless serving over HTTP

Not serving the HSTS header over HTTP is fairly bad
2018-01-17 20:31:12 +00:00 · 2018-01-17 20:31:12 +00:00 · 251d46b43f
parent ef9b100dd1
commit 251d46b43f
3 changed files with 10 additions and 5 deletions
--- a/src/cli.ts
+++ b/src/cli.ts
@ -19,6 +19,7 @@ Options:
  -b <auth> --basic-auth=<auth>   Enable basic-auth.
  -i <ips> --ips=<ips>  Allowed IP addresses.
  -l --list-dir  List Directory.
+  -s --allow-http  Allow connection over HTTP.
  --opbeat  Enable Opbeat.
  -o --open  Open in browser after start.
 `;
@ -35,6 +36,7 @@ export default function getArgs() : Options {
        dirList: rawArgs['--list-dir'],
        serveDir: rawArgs['<dir>'],
        opbeat: rawArgs['--opbeat'],
-        open: rawArgs['--open']
+        open: rawArgs['--open'],
+        allowHttp: rawArgs['--allow-http']
    };
 }
--- a/src/server.ts
+++ b/src/server.ts
@ -26,10 +26,12 @@ export default function createServer(opts : Options) : express.Application {
        enforce: false,
        maxAge: 1000
    }));
-    app.use(helmet.hsts({
-        maxAge: 5184000,
-        setIf: (req, res) => req.secure,
-    }));
+
+    if (!opts.allowHttp) {
+      app.use(helmet.hsts({
+          maxAge: 5184000
+      }));
+    }

    if (process.env.NODE_ENV !== 'test') {
        app.use(logging);
--- a/src/types/index.ts
+++ b/src/types/index.ts
@ -7,4 +7,5 @@ export interface Options {
    serveDir: string;
    opbeat: boolean;
    open: boolean;
+    allowHttp: boolean;
 }