From 56411ca0e10a90d8206508171e3871146bce5351 Mon Sep 17 00:00:00 2001 From: Literallie Date: Fri, 13 Oct 2017 01:09:04 +0200 Subject: [PATCH] Make HSTS behaviour configurable; Fixes #584 --- README.md | 1 + app.js | 15 ++++++++++----- config.json.example | 9 +++++++++ lib/config/default.js | 6 ++++++ 4 files changed, 26 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 78d3e352f..0fecc43b2 100644 --- a/README.md +++ b/README.md @@ -166,6 +166,7 @@ Application settings `config.json` | port | `80` | web app port | | alloworigin | `['localhost']` | domain name whitelist | | usessl | `true` or `false` | set to use ssl server (if true will auto turn on `protocolusessl`) | +| hsts | `{"enable": "true", "maxAgeSeconds": "31536000", "includeSubdomains": "true", "preload": "true"}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) | | protocolusessl | `true` or `false` | set to use ssl protocol for resources path (only applied when domain is set) | | urladdport | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) | | usecdn | `true` or `false` | set to use CDN resources or not (default is `true`) | diff --git a/app.js b/app.js index 1508781cd..62e6627d4 100644 --- a/app.js +++ b/app.js @@ -97,11 +97,16 @@ var sessionStore = new SequelizeStore({ app.use(compression()) // use hsts to tell https users stick to this -app.use(helmet.hsts({ - maxAge: 31536000 * 1000, // 365 days - includeSubdomains: true, - preload: true -})) +if (config.hsts.enable) { + app.use(helmet.hsts({ + maxAge: config.hsts.maxAgeSeconds * 1000, + includeSubdomains: config.hsts.includeSubdomains, + preload: config.hsts.preload + })) +} else if (config.usessl) { + logger.info('Consider enabling HSTS for extra security:') + logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security') +} i18n.configure({ locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'], diff --git a/config.json.example b/config.json.example index 87c04ed0b..e2d774c78 100644 --- a/config.json.example +++ b/config.json.example @@ -6,6 +6,9 @@ } }, "development": { + "hsts": { + "enable": false + }, "db": { "dialect": "sqlite", "storage": "./db.hackmd.sqlite" @@ -13,6 +16,12 @@ }, "production": { "domain": "localhost", + "hsts": { + "enable": "true", + "maxAgeSeconds": "31536000", + "includeSubdomains": "true", + "preload": "true" + }, "db": { "username": "", "password": "", diff --git a/lib/config/default.js b/lib/config/default.js index a14a42944..f4c45e3d6 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -7,6 +7,12 @@ module.exports = { urladdport: false, alloworigin: ['localhost'], usessl: false, + hsts: { + enable: true, + maxAgeSeconds: 31536000, + includeSubdomains: true, + preload: true + }, protocolusessl: false, usecdn: true, allowanonymous: true,