Make HSTS behaviour configurable; Fixes #584

2017-10-13 01:09:04 +02:00 · 2017-10-13 01:09:04 +02:00 · 56411ca0e1
commit 56411ca0e1
parent 53c2d0b5ca
4 changed files with 26 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -166,6 +166,7 @@ Application settings `config.json`
 | port | `80` | web app port |
 | alloworigin | `['localhost']` | domain name whitelist |
 | usessl | `true` or `false` | set to use ssl server (if true will auto turn on `protocolusessl`) |
+| hsts | `{"enable": "true", "maxAgeSeconds": "31536000", "includeSubdomains": "true", "preload": "true"}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) |
 | protocolusessl | `true` or `false` | set to use ssl protocol for resources path (only applied when domain is set) |
 | urladdport | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) |
 | usecdn | `true` or `false` | set to use CDN resources or not (default is `true`) |
--- a/app.js
+++ b/app.js
@ -97,11 +97,16 @@ var sessionStore = new SequelizeStore({
 app.use(compression())

 // use hsts to tell https users stick to this
-app.use(helmet.hsts({
-  maxAge: 31536000 * 1000, // 365 days
-  includeSubdomains: true,
-  preload: true
-}))
+if (config.hsts.enable) {
+  app.use(helmet.hsts({
+    maxAge: config.hsts.maxAgeSeconds * 1000,
+    includeSubdomains: config.hsts.includeSubdomains,
+    preload: config.hsts.preload
+  }))
+} else if (config.usessl) {
+  logger.info('Consider enabling HSTS for extra security:')
+  logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
+}

 i18n.configure({
  locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
--- a/config.json.example
+++ b/config.json.example
@ -6,6 +6,9 @@
        }
    },
    "development": {
+        "hsts": {
+            "enable": false
+        },
        "db": {
            "dialect": "sqlite",
            "storage": "./db.hackmd.sqlite"
@ -13,6 +16,12 @@
    },
    "production": {
        "domain": "localhost",
+        "hsts": {
+            "enable": "true",
+            "maxAgeSeconds": "31536000",
+            "includeSubdomains": "true",
+            "preload": "true"
+        },
        "db": {
            "username": "",
            "password": "",
--- a/lib/config/default.js
+++ b/lib/config/default.js
@ -7,6 +7,12 @@ module.exports = {
  urladdport: false,
  alloworigin: ['localhost'],
  usessl: false,
+  hsts: {
+    enable: true,
+    maxAgeSeconds: 31536000,
+    includeSubdomains: true,
+    preload: true
+  },
  protocolusessl: false,
  usecdn: true,
  allowanonymous: true,