2020-06-30 12:50:28 +02:00
include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
2020-12-21 15:38:52 +01:00
In Express.js application the code is sensitive if the https://www.npmjs.com/package/helmet[helmet] or https://www.npmjs.com/package/hsts[hsts] middleware are disabled or used without recommended values:
2020-06-30 14:49:38 +02:00
2020-06-30 12:50:28 +02:00
----
const express = require('express');
2020-12-21 15:38:52 +01:00
const helmet = require('helmet');
2020-06-30 12:50:28 +02:00
let app = express();
2020-12-21 15:38:52 +01:00
app.use(helmet.hsts({
2020-06-30 12:50:28 +02:00
maxAge: 3153600, // Sensitive, recommended >= 15552000
2020-12-21 15:38:52 +01:00
includeSubDomains: false // Sensitive, recommended 'true'
2020-06-30 12:50:28 +02:00
}));
----
== Compliant Solution
In Express.js application a standard way to implement HSTS is with the https://www.npmjs.com/package/helmet[helmet] or https://www.npmjs.com/package/hsts[hsts] middleware:
2020-06-30 14:49:38 +02:00
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-06-30 12:50:28 +02:00
----
const express = require('express');
const helmet = require('helmet');
2020-12-21 15:38:52 +01:00
let app = express();
2020-06-30 12:50:28 +02:00
2020-12-21 15:38:52 +01:00
app.use(helmet.hsts({
2020-06-30 12:50:28 +02:00
maxAge: 31536000,
2020-12-21 15:38:52 +01:00
includeSubDomains: true
})); // Compliant
2020-06-30 12:50:28 +02:00
----
include::../see.adoc[]
2023-06-22 10:38:01 +02:00
2021-09-20 15:38:42 +02:00
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
endif::env-github,rspecator-view[]
