Make Helmet's HSTS configurable from config file

Closed #115
2025-01-31 07:11:33 +00:00 · 2020-02-13 15:03:31 +07:00 · 2020-02-13 15:03:31 +07:00 · 609753f1e9
commit 609753f1e9
parent 783ac81bf7
2 changed files with 22 additions and 2 deletions
--- a/config.sample.js
+++ b/config.sample.js
@ -99,6 +99,19 @@ module.exports = {
    500: '500.html'
  },

+  /*
+    HTTP Strict Transport Security (HSTS).
+    This doesn't enforce HTTP users to switch to HTTPS.
+    It only tells HTTPS users to stick around (i.e. not to downgrade to HTTP).
+    When set, it's also added to HTTP responses because the header will be ignored anyway.
+    https://helmetjs.github.io/docs/hsts/#the-code
+  */
+  hsts: {
+    // maxAge: 63072000, // 2 years
+    // includeSubDomains: true,
+    // preload: true
+  },
+
  /*
    Trust proxy.
    Enable this if you are using proxy such as Cloudflare or Incapsula,
--- a/lolisafe.js
+++ b/lolisafe.js
@ -27,8 +27,15 @@ const nojs = require('./routes/nojs')

 const db = require('knex')(config.database)

-safe.use(helmet())
-if (config.trustProxy) safe.set('trust proxy', 1)
+safe.use(helmet({
+  hsts: false
+}))
+
+if (config.hsts instanceof Object && Object.keys(config.hsts).length)
+  safe.use(helmet.hsts(config.hsts))
+
+if (config.trustProxy)
+  safe.set('trust proxy', 1)

 // https://mozilla.github.io/nunjucks/api.html#configure
 nunjucks.configure('views', {