2 files changed, 26 insertions, 6 deletions

diff --git a/app.js b/app.js
index 1508781c..62e6627d 100644
--- a/app.js
+++ b/app.js
@@ -97,11 +97,16 @@ var sessionStore = new SequelizeStore({
 app.use(compression())
 
 // use hsts to tell https users stick to this
-app.use(helmet.hsts({
-  maxAge: 31536000 * 1000, // 365 days
-  includeSubdomains: true,
-  preload: true
-}))
+if (config.hsts.enable) {
+  app.use(helmet.hsts({
+    maxAge: config.hsts.maxAgeSeconds * 1000,
+    includeSubdomains: config.hsts.includeSubdomains,
+    preload: config.hsts.preload
+  }))
+} else if (config.usessl) {
+  logger.info('Consider enabling HSTS for extra security:')
+  logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
+}
 
 i18n.configure({
   locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
diff --git a/app.json b/app.json
index e06720f4..1de6b7db 100644
--- a/app.json
+++ b/app.json
@@ -23,7 +23,22 @@
             "description": "Specify database type. See sequelize available databases. Default using postgres",
             "value": "postgres"
         },
-
+        "HMD_HSTS_ENABLE": {
+            "description": "whether to also use HSTS if HTTPS is enabled",
+            "required": false
+        },
+        "HMD_HSTS_MAX_AGE": {
+            "description": "max duration, in seconds, to tell clients to keep HSTS status",
+            "required": false
+        },
+        "HMD_HSTS_INCLUDE_SUBDOMAINS": {
+            "description": "whether to tell clients to also regard subdomains as HSTS hosts",
+            "required": false
+        },
+        "HMD_HSTS_PRELOAD": {
+            "description": "whether to allow at all adding of the site to HSTS preloads (e.g. in browsers)",
+            "required": false
+        },
         "HMD_DOMAIN": {
             "description": "domain name",
             "required": false