diff options
author | Literallie | 2017-10-13 01:09:04 +0200 |
---|---|---|
committer | Literallie | 2017-10-13 01:42:05 +0200 |
commit | 56411ca0e10a90d8206508171e3871146bce5351 (patch) | |
tree | cfd1983803fe35f95dc47067b27dcd745ad42428 | |
parent | 53c2d0b5ca5901c1d1cad819e2049b16fba18ea8 (diff) |
Make HSTS behaviour configurable; Fixes #584
Diffstat (limited to '')
-rw-r--r-- | README.md | 1 | ||||
-rw-r--r-- | app.js | 15 | ||||
-rw-r--r-- | config.json.example | 9 | ||||
-rw-r--r-- | lib/config/default.js | 6 |
4 files changed, 26 insertions, 5 deletions
@@ -166,6 +166,7 @@ Application settings `config.json` | port | `80` | web app port | | alloworigin | `['localhost']` | domain name whitelist | | usessl | `true` or `false` | set to use ssl server (if true will auto turn on `protocolusessl`) | +| hsts | `{"enable": "true", "maxAgeSeconds": "31536000", "includeSubdomains": "true", "preload": "true"}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) | | protocolusessl | `true` or `false` | set to use ssl protocol for resources path (only applied when domain is set) | | urladdport | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) | | usecdn | `true` or `false` | set to use CDN resources or not (default is `true`) | @@ -97,11 +97,16 @@ var sessionStore = new SequelizeStore({ app.use(compression()) // use hsts to tell https users stick to this -app.use(helmet.hsts({ - maxAge: 31536000 * 1000, // 365 days - includeSubdomains: true, - preload: true -})) +if (config.hsts.enable) { + app.use(helmet.hsts({ + maxAge: config.hsts.maxAgeSeconds * 1000, + includeSubdomains: config.hsts.includeSubdomains, + preload: config.hsts.preload + })) +} else if (config.usessl) { + logger.info('Consider enabling HSTS for extra security:') + logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security') +} i18n.configure({ locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'], diff --git a/config.json.example b/config.json.example index 87c04ed0..e2d774c7 100644 --- a/config.json.example +++ b/config.json.example @@ -6,6 +6,9 @@ } }, "development": { + "hsts": { + "enable": false + }, "db": { "dialect": "sqlite", "storage": "./db.hackmd.sqlite" @@ -13,6 +16,12 @@ }, "production": { "domain": "localhost", + "hsts": { + "enable": "true", + "maxAgeSeconds": "31536000", + "includeSubdomains": "true", + "preload": "true" + }, "db": { "username": "", "password": "", diff --git a/lib/config/default.js b/lib/config/default.js index a14a4294..f4c45e3d 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -7,6 +7,12 @@ module.exports = { urladdport: false, alloworigin: ['localhost'], usessl: false, + hsts: { + enable: true, + maxAgeSeconds: 31536000, + includeSubdomains: true, + preload: true + }, protocolusessl: false, usecdn: true, allowanonymous: true, |