48 lines
1.1 KiB
Plaintext
48 lines
1.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
In Express.js application the code is sensitive if the https://www.npmjs.com/package/helmet[helmet] or https://www.npmjs.com/package/hsts[hsts] middleware are not used or used without recommended values:
|
|
|
|
----
|
|
const express = require('express');
|
|
const hsts = require('hsts');
|
|
|
|
let app = express();
|
|
|
|
app.use(hsts({
|
|
maxAge: 3153600, // Sensitive, recommended >= 15552000
|
|
includeSubDomains: false, // Sensitive, recommended 'true'
|
|
}));
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
In Express.js application a standard way to implement HSTS is with the https://www.npmjs.com/package/helmet[helmet] or https://www.npmjs.com/package/hsts[hsts] middleware:
|
|
|
|
----
|
|
const express = require('express');
|
|
const helmet = require('helmet');
|
|
const hsts = require('hsts');
|
|
|
|
let appHsts = express(); // Compliant
|
|
|
|
hsts.use(hsts({
|
|
maxAge: 31536000,
|
|
includeSubDomains: true,
|
|
}));
|
|
|
|
let appHelmet = express(); // Compliant
|
|
|
|
appHelmet.use(helmet.hsts({
|
|
maxAge: 31536000,
|
|
includeSubDomains: true,
|
|
}));
|
|
----
|
|
|
|
include::../see.adoc[]
|