From 251d46b43f037d981402260e7f38bc75eb1ea44e Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 17 Jan 2018 20:31:12 +0000 Subject: [PATCH] Use HSTS all the time, unless serving over HTTP Not serving the HSTS header over HTTP is fairly bad --- src/cli.ts | 4 +++- src/server.ts | 10 ++++++---- src/types/index.ts | 1 + 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/src/cli.ts b/src/cli.ts index dc0f91c..335907d 100644 --- a/src/cli.ts +++ b/src/cli.ts @@ -19,6 +19,7 @@ Options: -b --basic-auth= Enable basic-auth. -i --ips= Allowed IP addresses. -l --list-dir List Directory. + -s --allow-http Allow connection over HTTP. --opbeat Enable Opbeat. -o --open Open in browser after start. `; @@ -35,6 +36,7 @@ export default function getArgs() : Options { dirList: rawArgs['--list-dir'], serveDir: rawArgs[''], opbeat: rawArgs['--opbeat'], - open: rawArgs['--open'] + open: rawArgs['--open'], + allowHttp: rawArgs['--allow-http'] }; } diff --git a/src/server.ts b/src/server.ts index ffd1408..d3ac4b0 100644 --- a/src/server.ts +++ b/src/server.ts @@ -26,10 +26,12 @@ export default function createServer(opts : Options) : express.Application { enforce: false, maxAge: 1000 })); - app.use(helmet.hsts({ - maxAge: 5184000, - setIf: (req, res) => req.secure, - })); + + if (!opts.allowHttp) { + app.use(helmet.hsts({ + maxAge: 5184000 + })); + } if (process.env.NODE_ENV !== 'test') { app.use(logging); diff --git a/src/types/index.ts b/src/types/index.ts index d096ad6..a74c5f7 100644 --- a/src/types/index.ts +++ b/src/types/index.ts @@ -7,4 +7,5 @@ export interface Options { serveDir: string; opbeat: boolean; open: boolean; + allowHttp: boolean; }