51 lines
1.3 KiB
Plaintext
51 lines
1.3 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
In Express.js application the code is sensitive if the https://www.npmjs.com/package/expect-ct[expect-ct] middleware is disabled:
|
|
|
|
----
|
|
const express = require('express');
|
|
const helmet = require('helmet');
|
|
|
|
let app = express();
|
|
|
|
app.use(
|
|
helmet({
|
|
expectCt: false // Sensitive
|
|
})
|
|
);
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
In Express.js application the https://www.npmjs.com/package/expect-ct[expect-ct] middleware is the standard way to implement expect-ct. Usually, the deployment of this policy starts with the report only mode (``++enforce: false++``) and with a low ``++maxAge++`` (the number of seconds the policy will apply) value and next if everything works well it is recommended to block future connections that violate Expect-CT policy (``++enforce: true++``) and greater value for maxAge directive:
|
|
|
|
[source,javascript]
|
|
----
|
|
const express = require('express');
|
|
const helmet = require('helmet');
|
|
|
|
let app = express();
|
|
|
|
app.use(helmet.expectCt({
|
|
enforce: true,
|
|
maxAge: 86400
|
|
})); // Compliant
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|