From 251d46b43f037d981402260e7f38bc75eb1ea44e Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Wed, 17 Jan 2018 20:31:12 +0000
Subject: [PATCH] Use HSTS all the time, unless serving over HTTP

Not serving the HSTS header over HTTP is fairly bad
---
 src/cli.ts         |  4 +++-
 src/server.ts      | 10 ++++++----
 src/types/index.ts |  1 +
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/cli.ts b/src/cli.ts
index dc0f91c..335907d 100644
--- a/src/cli.ts
+++ b/src/cli.ts
@@ -19,6 +19,7 @@ Options:
   -b <auth> --basic-auth=<auth>   Enable basic-auth.
   -i <ips> --ips=<ips>  Allowed IP addresses.
   -l --list-dir  List Directory.
+  -s --allow-http  Allow connection over HTTP.
   --opbeat  Enable Opbeat.
   -o --open  Open in browser after start.
 `;
@@ -35,6 +36,7 @@ export default function getArgs() : Options {
         dirList: rawArgs['--list-dir'],
         serveDir: rawArgs['<dir>'],
         opbeat: rawArgs['--opbeat'],
-        open: rawArgs['--open']
+        open: rawArgs['--open'],
+        allowHttp: rawArgs['--allow-http']
     };
 }
diff --git a/src/server.ts b/src/server.ts
index ffd1408..d3ac4b0 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -26,10 +26,12 @@ export default function createServer(opts : Options) : express.Application {
         enforce: false,
         maxAge: 1000
     }));
-    app.use(helmet.hsts({
-        maxAge: 5184000,
-        setIf: (req, res) => req.secure,
-    }));
+
+    if (!opts.allowHttp) {
+      app.use(helmet.hsts({
+          maxAge: 5184000
+      }));
+    }
 
     if (process.env.NODE_ENV !== 'test') {
         app.use(logging);
diff --git a/src/types/index.ts b/src/types/index.ts
index d096ad6..a74c5f7 100644
--- a/src/types/index.ts
+++ b/src/types/index.ts
@@ -7,4 +7,5 @@ export interface Options {
     serveDir: string;
     opbeat: boolean;
     open: boolean;
+    allowHttp: boolean;
 }