diff options
Diffstat (limited to '')
-rw-r--r-- | app.js | 15 | ||||
-rw-r--r-- | app.json | 17 |
2 files changed, 26 insertions, 6 deletions
@@ -97,11 +97,16 @@ var sessionStore = new SequelizeStore({ app.use(compression()) // use hsts to tell https users stick to this -app.use(helmet.hsts({ - maxAge: 31536000 * 1000, // 365 days - includeSubdomains: true, - preload: true -})) +if (config.hsts.enable) { + app.use(helmet.hsts({ + maxAge: config.hsts.maxAgeSeconds * 1000, + includeSubdomains: config.hsts.includeSubdomains, + preload: config.hsts.preload + })) +} else if (config.usessl) { + logger.info('Consider enabling HSTS for extra security:') + logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security') +} i18n.configure({ locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'], @@ -23,7 +23,22 @@ "description": "Specify database type. See sequelize available databases. Default using postgres", "value": "postgres" }, - + "HMD_HSTS_ENABLE": { + "description": "whether to also use HSTS if HTTPS is enabled", + "required": false + }, + "HMD_HSTS_MAX_AGE": { + "description": "max duration, in seconds, to tell clients to keep HSTS status", + "required": false + }, + "HMD_HSTS_INCLUDE_SUBDOMAINS": { + "description": "whether to tell clients to also regard subdomains as HSTS hosts", + "required": false + }, + "HMD_HSTS_PRELOAD": { + "description": "whether to allow at all adding of the site to HSTS preloads (e.g. in browsers)", + "required": false + }, "HMD_DOMAIN": { "description": "domain name", "required": false |