Merge pull request #585 from xxyy/feature/hsts-cfg
Make HSTS Behaviour Configurable (Fixes #584)
This commit is contained in:
commit
5ce8f40eac
6 changed files with 52 additions and 6 deletions
|
@ -154,6 +154,10 @@ Environment variables (will overwrite other server configs)
|
||||||
| HMD_S3_SECRET_ACCESS_KEY | no example | AWS secret key |
|
| HMD_S3_SECRET_ACCESS_KEY | no example | AWS secret key |
|
||||||
| HMD_S3_REGION | `ap-northeast-1` | AWS S3 region |
|
| HMD_S3_REGION | `ap-northeast-1` | AWS S3 region |
|
||||||
| HMD_S3_BUCKET | no example | AWS S3 bucket name |
|
| HMD_S3_BUCKET | no example | AWS S3 bucket name |
|
||||||
|
| HMD_HSTS_ENABLE | ` true` | set to enable [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) if HTTPS is also enabled (default is ` true`) |
|
||||||
|
| HMD_HSTS_INCLUDE_SUBDOMAINS | `true` | set to include subdomains in HSTS (default is `true`) |
|
||||||
|
| HMD_HSTS_MAX_AGE | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
|
||||||
|
| HMD_HSTS_PRELOAD | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
|
||||||
|
|
||||||
Application settings `config.json`
|
Application settings `config.json`
|
||||||
---
|
---
|
||||||
|
@ -166,6 +170,7 @@ Application settings `config.json`
|
||||||
| port | `80` | web app port |
|
| port | `80` | web app port |
|
||||||
| alloworigin | `['localhost']` | domain name whitelist |
|
| alloworigin | `['localhost']` | domain name whitelist |
|
||||||
| usessl | `true` or `false` | set to use ssl server (if true will auto turn on `protocolusessl`) |
|
| usessl | `true` or `false` | set to use ssl server (if true will auto turn on `protocolusessl`) |
|
||||||
|
| hsts | `{"enable": "true", "maxAgeSeconds": "31536000", "includeSubdomains": "true", "preload": "true"}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) |
|
||||||
| protocolusessl | `true` or `false` | set to use ssl protocol for resources path (only applied when domain is set) |
|
| protocolusessl | `true` or `false` | set to use ssl protocol for resources path (only applied when domain is set) |
|
||||||
| urladdport | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) |
|
| urladdport | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) |
|
||||||
| usecdn | `true` or `false` | set to use CDN resources or not (default is `true`) |
|
| usecdn | `true` or `false` | set to use CDN resources or not (default is `true`) |
|
||||||
|
|
15
app.js
15
app.js
|
@ -97,11 +97,16 @@ var sessionStore = new SequelizeStore({
|
||||||
app.use(compression())
|
app.use(compression())
|
||||||
|
|
||||||
// use hsts to tell https users stick to this
|
// use hsts to tell https users stick to this
|
||||||
app.use(helmet.hsts({
|
if (config.hsts.enable) {
|
||||||
maxAge: 31536000 * 1000, // 365 days
|
app.use(helmet.hsts({
|
||||||
includeSubdomains: true,
|
maxAge: config.hsts.maxAgeSeconds * 1000,
|
||||||
preload: true
|
includeSubdomains: config.hsts.includeSubdomains,
|
||||||
}))
|
preload: config.hsts.preload
|
||||||
|
}))
|
||||||
|
} else if (config.usessl) {
|
||||||
|
logger.info('Consider enabling HSTS for extra security:')
|
||||||
|
logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
|
||||||
|
}
|
||||||
|
|
||||||
i18n.configure({
|
i18n.configure({
|
||||||
locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
|
locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
|
||||||
|
|
17
app.json
17
app.json
|
@ -23,7 +23,22 @@
|
||||||
"description": "Specify database type. See sequelize available databases. Default using postgres",
|
"description": "Specify database type. See sequelize available databases. Default using postgres",
|
||||||
"value": "postgres"
|
"value": "postgres"
|
||||||
},
|
},
|
||||||
|
"HMD_HSTS_ENABLE": {
|
||||||
|
"description": "whether to also use HSTS if HTTPS is enabled",
|
||||||
|
"required": false
|
||||||
|
},
|
||||||
|
"HMD_HSTS_MAX_AGE": {
|
||||||
|
"description": "max duration, in seconds, to tell clients to keep HSTS status",
|
||||||
|
"required": false
|
||||||
|
},
|
||||||
|
"HMD_HSTS_INCLUDE_SUBDOMAINS": {
|
||||||
|
"description": "whether to tell clients to also regard subdomains as HSTS hosts",
|
||||||
|
"required": false
|
||||||
|
},
|
||||||
|
"HMD_HSTS_PRELOAD": {
|
||||||
|
"description": "whether to allow at all adding of the site to HSTS preloads (e.g. in browsers)",
|
||||||
|
"required": false
|
||||||
|
},
|
||||||
"HMD_DOMAIN": {
|
"HMD_DOMAIN": {
|
||||||
"description": "domain name",
|
"description": "domain name",
|
||||||
"required": false
|
"required": false
|
||||||
|
|
|
@ -6,6 +6,9 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"development": {
|
"development": {
|
||||||
|
"hsts": {
|
||||||
|
"enable": false
|
||||||
|
},
|
||||||
"db": {
|
"db": {
|
||||||
"dialect": "sqlite",
|
"dialect": "sqlite",
|
||||||
"storage": "./db.hackmd.sqlite"
|
"storage": "./db.hackmd.sqlite"
|
||||||
|
@ -13,6 +16,12 @@
|
||||||
},
|
},
|
||||||
"production": {
|
"production": {
|
||||||
"domain": "localhost",
|
"domain": "localhost",
|
||||||
|
"hsts": {
|
||||||
|
"enable": "true",
|
||||||
|
"maxAgeSeconds": "31536000",
|
||||||
|
"includeSubdomains": "true",
|
||||||
|
"preload": "true"
|
||||||
|
},
|
||||||
"db": {
|
"db": {
|
||||||
"username": "",
|
"username": "",
|
||||||
"password": "",
|
"password": "",
|
||||||
|
|
|
@ -7,6 +7,12 @@ module.exports = {
|
||||||
urladdport: false,
|
urladdport: false,
|
||||||
alloworigin: ['localhost'],
|
alloworigin: ['localhost'],
|
||||||
usessl: false,
|
usessl: false,
|
||||||
|
hsts: {
|
||||||
|
enable: true,
|
||||||
|
maxAgeSeconds: 31536000,
|
||||||
|
includeSubdomains: true,
|
||||||
|
preload: true
|
||||||
|
},
|
||||||
protocolusessl: false,
|
protocolusessl: false,
|
||||||
usecdn: true,
|
usecdn: true,
|
||||||
allowanonymous: true,
|
allowanonymous: true,
|
||||||
|
|
|
@ -8,6 +8,12 @@ module.exports = {
|
||||||
port: process.env.HMD_PORT,
|
port: process.env.HMD_PORT,
|
||||||
urladdport: toBooleanConfig(process.env.HMD_URL_ADDPORT),
|
urladdport: toBooleanConfig(process.env.HMD_URL_ADDPORT),
|
||||||
usessl: toBooleanConfig(process.env.HMD_USESSL),
|
usessl: toBooleanConfig(process.env.HMD_USESSL),
|
||||||
|
hsts: {
|
||||||
|
enable: toBooleanConfig(process.env.HMD_HSTS_ENABLE),
|
||||||
|
maxAgeSeconds: process.env.HMD_HSTS_MAX_AGE,
|
||||||
|
includeSubdomains: toBooleanConfig(process.env.HMD_HSTS_INCLUDE_SUBDOMAINS),
|
||||||
|
preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
|
||||||
|
},
|
||||||
protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
|
protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
|
||||||
alloworigin: process.env.HMD_ALLOW_ORIGIN ? process.env.HMD_ALLOW_ORIGIN.split(',') : undefined,
|
alloworigin: process.env.HMD_ALLOW_ORIGIN ? process.env.HMD_ALLOW_ORIGIN.split(',') : undefined,
|
||||||
usecdn: toBooleanConfig(process.env.HMD_USECDN),
|
usecdn: toBooleanConfig(process.env.HMD_USECDN),
|
||||||
|
|
Loading…
Reference in a new issue