summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLiterallie2017-10-13 01:09:04 +0200
committerLiterallie2017-10-13 01:42:05 +0200
commit56411ca0e10a90d8206508171e3871146bce5351 (patch)
treecfd1983803fe35f95dc47067b27dcd745ad42428
parent53c2d0b5ca5901c1d1cad819e2049b16fba18ea8 (diff)
Make HSTS behaviour configurable; Fixes #584
Diffstat (limited to '')
-rw-r--r--README.md1
-rw-r--r--app.js15
-rw-r--r--config.json.example9
-rw-r--r--lib/config/default.js6
4 files changed, 26 insertions, 5 deletions
diff --git a/README.md b/README.md
index 78d3e352..0fecc43b 100644
--- a/README.md
+++ b/README.md
@@ -166,6 +166,7 @@ Application settings `config.json`
| port | `80` | web app port |
| alloworigin | `['localhost']` | domain name whitelist |
| usessl | `true` or `false` | set to use ssl server (if true will auto turn on `protocolusessl`) |
+| hsts | `{"enable": "true", "maxAgeSeconds": "31536000", "includeSubdomains": "true", "preload": "true"}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) |
| protocolusessl | `true` or `false` | set to use ssl protocol for resources path (only applied when domain is set) |
| urladdport | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) |
| usecdn | `true` or `false` | set to use CDN resources or not (default is `true`) |
diff --git a/app.js b/app.js
index 1508781c..62e6627d 100644
--- a/app.js
+++ b/app.js
@@ -97,11 +97,16 @@ var sessionStore = new SequelizeStore({
app.use(compression())
// use hsts to tell https users stick to this
-app.use(helmet.hsts({
- maxAge: 31536000 * 1000, // 365 days
- includeSubdomains: true,
- preload: true
-}))
+if (config.hsts.enable) {
+ app.use(helmet.hsts({
+ maxAge: config.hsts.maxAgeSeconds * 1000,
+ includeSubdomains: config.hsts.includeSubdomains,
+ preload: config.hsts.preload
+ }))
+} else if (config.usessl) {
+ logger.info('Consider enabling HSTS for extra security:')
+ logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
+}
i18n.configure({
locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
diff --git a/config.json.example b/config.json.example
index 87c04ed0..e2d774c7 100644
--- a/config.json.example
+++ b/config.json.example
@@ -6,6 +6,9 @@
}
},
"development": {
+ "hsts": {
+ "enable": false
+ },
"db": {
"dialect": "sqlite",
"storage": "./db.hackmd.sqlite"
@@ -13,6 +16,12 @@
},
"production": {
"domain": "localhost",
+ "hsts": {
+ "enable": "true",
+ "maxAgeSeconds": "31536000",
+ "includeSubdomains": "true",
+ "preload": "true"
+ },
"db": {
"username": "",
"password": "",
diff --git a/lib/config/default.js b/lib/config/default.js
index a14a4294..f4c45e3d 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -7,6 +7,12 @@ module.exports = {
urladdport: false,
alloworigin: ['localhost'],
usessl: false,
+ hsts: {
+ enable: true,
+ maxAgeSeconds: 31536000,
+ includeSubdomains: true,
+ preload: true
+ },
protocolusessl: false,
usecdn: true,
allowanonymous: true,