mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-25 03:06:31 -05:00
Make HSTS behaviour configurable; Fixes #584
This commit is contained in:
parent
53c2d0b5ca
commit
56411ca0e1
4 changed files with 26 additions and 5 deletions
|
@ -166,6 +166,7 @@ Application settings `config.json`
|
|||
| port | `80` | web app port |
|
||||
| alloworigin | `['localhost']` | domain name whitelist |
|
||||
| usessl | `true` or `false` | set to use ssl server (if true will auto turn on `protocolusessl`) |
|
||||
| hsts | `{"enable": "true", "maxAgeSeconds": "31536000", "includeSubdomains": "true", "preload": "true"}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) |
|
||||
| protocolusessl | `true` or `false` | set to use ssl protocol for resources path (only applied when domain is set) |
|
||||
| urladdport | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) |
|
||||
| usecdn | `true` or `false` | set to use CDN resources or not (default is `true`) |
|
||||
|
|
15
app.js
15
app.js
|
@ -97,11 +97,16 @@ var sessionStore = new SequelizeStore({
|
|||
app.use(compression())
|
||||
|
||||
// use hsts to tell https users stick to this
|
||||
app.use(helmet.hsts({
|
||||
maxAge: 31536000 * 1000, // 365 days
|
||||
includeSubdomains: true,
|
||||
preload: true
|
||||
}))
|
||||
if (config.hsts.enable) {
|
||||
app.use(helmet.hsts({
|
||||
maxAge: config.hsts.maxAgeSeconds * 1000,
|
||||
includeSubdomains: config.hsts.includeSubdomains,
|
||||
preload: config.hsts.preload
|
||||
}))
|
||||
} else if (config.usessl) {
|
||||
logger.info('Consider enabling HSTS for extra security:')
|
||||
logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
|
||||
}
|
||||
|
||||
i18n.configure({
|
||||
locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
|
||||
|
|
|
@ -6,6 +6,9 @@
|
|||
}
|
||||
},
|
||||
"development": {
|
||||
"hsts": {
|
||||
"enable": false
|
||||
},
|
||||
"db": {
|
||||
"dialect": "sqlite",
|
||||
"storage": "./db.hackmd.sqlite"
|
||||
|
@ -13,6 +16,12 @@
|
|||
},
|
||||
"production": {
|
||||
"domain": "localhost",
|
||||
"hsts": {
|
||||
"enable": "true",
|
||||
"maxAgeSeconds": "31536000",
|
||||
"includeSubdomains": "true",
|
||||
"preload": "true"
|
||||
},
|
||||
"db": {
|
||||
"username": "",
|
||||
"password": "",
|
||||
|
|
|
@ -7,6 +7,12 @@ module.exports = {
|
|||
urladdport: false,
|
||||
alloworigin: ['localhost'],
|
||||
usessl: false,
|
||||
hsts: {
|
||||
enable: true,
|
||||
maxAgeSeconds: 31536000,
|
||||
includeSubdomains: true,
|
||||
preload: true
|
||||
},
|
||||
protocolusessl: false,
|
||||
usecdn: true,
|
||||
allowanonymous: true,
|
||||
|
|
Loading…
Reference in a new issue