Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Readme
This middleware adds the Strict-Transport-Security
header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". (See the spec for more.) Note that the header won't tell users on HTTP to switch to HTTPS, it will just tell HTTPS users to stick around. You can enforce HTTPS with the express-enforces-ssl module.
This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next 180 days:
const hsts = require('hsts')
app.use(hsts({
maxAge: 15552000 // 180 days in seconds
}))
// Strict-Transport-Security: max-age: 15552000; includeSubDomains
Note that the max age must be in seconds. This was different in previous versions of this module!
The includeSubDomains
directive is present by default. If this header is set on example.com, supported browsers will also use HTTPS on my-subdomain.example.com. You can disable this:
app.use(hsts({
maxAge: 15552000,
includeSubDomains: false
}))
Some browsers let you submit your site's HSTS to be baked into the browser. You can add preload
to the header with the following code. You can check your eligibility and submit your site at hstspreload.org.
app.use(hsts({
maxAge: 31536000, // Must be at least 1 year to be approved
includeSubDomains: true, // Must be enabled to be approved
preload: true
}))
This header will always be set because the header is ignored in insecure HTTP. You may wish to set it conditionally:
const hstsMiddleware = hsts({
maxAge: 1234000
})
app.use((req, res, next) => {
if (req.secure) {
hstsMiddleware(req, res, next)
} else {
next()
}
})
This header is somewhat well-supported by browsers.
FAQs
HTTP Strict Transport Security middleware.
The npm package hsts receives a total of 401,618 weekly downloads. As such, hsts popularity was classified as popular.
We found that hsts demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.