Use HSTS all the time, unless serving over HTTP
Not serving the HSTS header over HTTP is fairly bad
This commit is contained in:
parent
ef9b100dd1
commit
251d46b43f
3 changed files with 10 additions and 5 deletions
|
@ -19,6 +19,7 @@ Options:
|
||||||
-b <auth> --basic-auth=<auth> Enable basic-auth.
|
-b <auth> --basic-auth=<auth> Enable basic-auth.
|
||||||
-i <ips> --ips=<ips> Allowed IP addresses.
|
-i <ips> --ips=<ips> Allowed IP addresses.
|
||||||
-l --list-dir List Directory.
|
-l --list-dir List Directory.
|
||||||
|
-s --allow-http Allow connection over HTTP.
|
||||||
--opbeat Enable Opbeat.
|
--opbeat Enable Opbeat.
|
||||||
-o --open Open in browser after start.
|
-o --open Open in browser after start.
|
||||||
`;
|
`;
|
||||||
|
@ -35,6 +36,7 @@ export default function getArgs() : Options {
|
||||||
dirList: rawArgs['--list-dir'],
|
dirList: rawArgs['--list-dir'],
|
||||||
serveDir: rawArgs['<dir>'],
|
serveDir: rawArgs['<dir>'],
|
||||||
opbeat: rawArgs['--opbeat'],
|
opbeat: rawArgs['--opbeat'],
|
||||||
open: rawArgs['--open']
|
open: rawArgs['--open'],
|
||||||
|
allowHttp: rawArgs['--allow-http']
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,10 +26,12 @@ export default function createServer(opts : Options) : express.Application {
|
||||||
enforce: false,
|
enforce: false,
|
||||||
maxAge: 1000
|
maxAge: 1000
|
||||||
}));
|
}));
|
||||||
|
|
||||||
|
if (!opts.allowHttp) {
|
||||||
app.use(helmet.hsts({
|
app.use(helmet.hsts({
|
||||||
maxAge: 5184000,
|
maxAge: 5184000
|
||||||
setIf: (req, res) => req.secure,
|
|
||||||
}));
|
}));
|
||||||
|
}
|
||||||
|
|
||||||
if (process.env.NODE_ENV !== 'test') {
|
if (process.env.NODE_ENV !== 'test') {
|
||||||
app.use(logging);
|
app.use(logging);
|
||||||
|
|
|
@ -7,4 +7,5 @@ export interface Options {
|
||||||
serveDir: string;
|
serveDir: string;
|
||||||
opbeat: boolean;
|
opbeat: boolean;
|
||||||
open: boolean;
|
open: boolean;
|
||||||
|
allowHttp: boolean;
|
||||||
}
|
}
|
||||||
|
|
Reference in a new issue