hsts
    Overview
    Documentation
    Insights
    Code
    Contributors
    Dependencies
    Alternatives

hsts

HTTP Strict Transport Security middleware.

2.2.0  •  Published 9 months ago  •  by helmetjs  •  MIT License

HTTP Strict Transport Security middleware

Build Status js-standard-style

This middleware adds the Strict-Transport-Security header to the response. This tells browsers, “hey, only use HTTPS for the next period of time”. (See the spec for more.) Note that the header won’t tell users on HTTP to switch to HTTPS, it will just tell HTTPS users to stick around. You can enforce HTTPS with the express-enforces-ssl module.

This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next 180 days:

const hsts = require('hsts')

app.use(hsts({
  maxAge: 15552000  // 180 days in seconds
}))
// Strict-Transport-Security: max-age: 15552000; includeSubDomains

Note that the max age must be in seconds. This was different in previous versions of this module!

The includeSubDomains directive is present by default. If this header is set on example.com, supported browsers will also use HTTPS on my-subdomain.example.com. You can disable this:

app.use(hsts({
  maxAge: 15552000,
  includeSubDomains: false
}))

Some browsers let you submit your site’s HSTS to be baked into the browser. You can add preload to the header with the following code. You can check your eligibility and submit your site at hstspreload.org.

app.use(hsts({
  maxAge: 31536000,        // Must be at least 1 year to be approved
  includeSubDomains: true, // Must be enabled to be approved
  preload: true
}))

This header will always be set because the header is ignored in insecure HTTP. You may wish to set it conditionally:

const hstsMiddleware = hsts({
  maxAge: 1234000
})

app.use((req, res, next) => {
  if (req.secure) {
    hstsMiddleware(req, res, next)
  } else {
    next()
  }
})

This header is somewhat well-supported by browsers.

How do you feel about the name Devstore for this site?

Popularity

Weekly Downloads
627.1K
Stars
84

Maintenance

Development

Last ver 9 months ago
Created 5 years ago
Last commit 3 months ago
21 days between commits

Technology

Node version: 11.10.1
7.2K unpacked

Compliance

MIT License
OSI Approved
0 vulnerabilities

Contributors

8 contributors
Evan Hahn
Maintainer, 78 commits, 8 merges, 2 PRs
Works at Airtable
Gio De Francesco
2 commits
Trygve Lie
1 commits, 1 PRs
Gio De Francesco
1 commits, 2 PRs
Francesco Rodriguez
1 commits, 1 PRs
Works at vippsas
Paul Wright
1 commits, 1 PRs
Works at KainosSoftwareLtd

Tags

helmet
security
express
connect
hsts
https
Ready for the next level?
Join Devstore's founding team to help us build the ultimate open-source app store, work with the latest technologies, and enjoy great culture, impact and autonomy
© 2019 Devstore, Inc.
Devstore helps developers find and use open-source packages, so they can focus on building amazing things