41 lines
1.1 KiB
Plaintext
41 lines
1.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
In Express.js application the code is sensitive if the https://www.npmjs.com/package/expect-ct[expect-ct] middleware is disabled:
|
|
|
|
----
|
|
const express = require('express');
|
|
const helmet = require('helmet');
|
|
|
|
let app = express();
|
|
|
|
app.use(
|
|
helmet({
|
|
expectCt: false // Sensitive
|
|
})
|
|
);
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
In Express.js application the https://www.npmjs.com/package/expect-ct[expect-ct] middleware is the standard way to implement expect-ct. Usually, the deployment of this policy starts with the report only mode (``enforce: false``) and with a low ``maxAge`` (the number of seconds the policy will apply) value and next if everything works well it is recommended to block future connections that violate Expect-CT policy (``enforce: true``) and greater value for maxAge directive:
|
|
|
|
----
|
|
const express = require('express');
|
|
const helmet = require('helmet');
|
|
|
|
let app = express();
|
|
|
|
app.use(helmet.expectCt({
|
|
enforce: true,
|
|
maxAge: 86400
|
|
})); // Compliant
|
|
----
|
|
|
|
include::../see.adoc[]
|