33 lines
1.1 KiB
Plaintext
33 lines
1.1 KiB
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
include::../recommended.adoc[]
|
||
|
|
|
||
|
|
== Sensitive Code Example
|
||
|
|
|
||
|
|
In Express.js application the code is sensitive if the https://www.npmjs.com/package/expect-ct[expect-ct] middleware is not used:
|
||
|
|
----
|
||
|
|
const express = require('express');
|
||
|
|
const expectCt = require('expect-ct');
|
||
|
|
|
||
|
|
let app = express(); // Sensitive
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
In Express.js application the https://www.npmjs.com/package/expect-ct[expect-ct] middleware is the standard way to implement expect-ct. Usually, the deployment of this policy starts with the report only mode (<code>enforce: false</code>) and with a low <code>maxAge</code> (the number of seconds the policy will apply) value and next if everything works well it is recommended to block future connections that violate Expect-CT policy (<code>enforce: true</code>) and greater value for maxAge directive:
|
||
|
|
----
|
||
|
|
const express = require('express');
|
||
|
|
const expectCt = require('expect-ct');
|
||
|
|
|
||
|
|
let app = express(); // Compliant
|
||
|
|
|
||
|
|
app.use(expectCt({
|
||
|
|
enforce: true,
|
||
|
|
maxAge: 86400
|
||
|
|
}));
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|