Make HSTS behaviour configurable; Fixes #584

author: Literallie 2017-10-13 01:09:04 +0200
committer: Literallie 2017-10-13 01:42:05 +0200
commit: 56411ca0e10a90d8206508171e3871146bce5351 (patch)
tree: cfd1983803fe35f95dc47067b27dcd745ad42428 /app.js
parent: 53c2d0b5ca5901c1d1cad819e2049b16fba18ea8 (diff)
1 files changed, 10 insertions, 5 deletions
diff --git a/app.js b/app.js
index 1508781c..62e6627d 100644
--- a/app.js
+++ b/app.js
@@ -97,11 +97,16 @@ var sessionStore = new SequelizeStore({
 app.use(compression())
 
 // use hsts to tell https users stick to this
-app.use(helmet.hsts({
-  maxAge: 31536000 * 1000, // 365 days
-  includeSubdomains: true,
-  preload: true
-}))
+if (config.hsts.enable) {
+  app.use(helmet.hsts({
+    maxAge: config.hsts.maxAgeSeconds * 1000,
+    includeSubdomains: config.hsts.includeSubdomains,
+    preload: config.hsts.preload
+  }))
+} else if (config.usessl) {
+  logger.info('Consider enabling HSTS for extra security:')
+  logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
+}
 
 i18n.configure({
   locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
author	Literallie	2017-10-13 01:09:04 +0200
committer	Literallie	2017-10-13 01:42:05 +0200
commit	56411ca0e10a90d8206508171e3871146bce5351 (patch)
tree	cfd1983803fe35f95dc47067b27dcd745ad42428 /app.js
parent	53c2d0b5ca5901c1d1cad819e2049b16fba18ea8 (diff)