Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
hsts - npm Package Compare versions
Comparing version 1.0.0 to 2.0.0
35
index.js
| var util = require('core-util-is') | ||
| var oneDay = 86400000 | ||
| var defaultMaxAge = 180 * 24 * 60 * 60 | ||
@@ -8,32 +8,33 @@ module.exports = function hsts (options) { | ||
| var maxAgeMS = options.maxAge != null ? options.maxAge : oneDay | ||
| var maxAge = options.maxAge != null ? options.maxAge : defaultMaxAge | ||
| var includeSubDomains = (options.includeSubDomains !== false) && (options.includeSubdomains !== false) | ||
| var force = options.force | ||
| var setIf = options.setIf | ||
| if (options.maxage != null) { | ||
| throw new Error('Did you mean to pass "maxAge" instead of "maxage"?') | ||
| if (options.hasOwnProperty('maxage')) { | ||
| throw new Error('maxage is not a supported property. Did you mean to pass "maxAge" instead of "maxage"?') | ||
| } | ||
| if (!util.isObject(options)) { | ||
| throw new Error('HSTS must be passed an object or undefined.') | ||
| } | ||
| if (arguments.length > 1) { | ||
| throw new Error('HSTS passed the wrong number of arguments.') | ||
| } | ||
| if (!util.isNumber(maxAgeMS)) { | ||
| if (!util.isNumber(maxAge)) { | ||
| throw new TypeError('HSTS must be passed a numeric maxAge parameter.') | ||
| } | ||
| if (maxAgeMS < 0) { | ||
| if (maxAge < 0) { | ||
| throw new RangeError('HSTS maxAge must be nonnegative.') | ||
| } | ||
| if (setIf && !util.isFunction(setIf)) { | ||
| throw new TypeError('setIf must be a function.') | ||
| if (options.hasOwnProperty('setIf')) { | ||
| if (!util.isFunction(setIf)) { | ||
| throw new TypeError('setIf must be a function.') | ||
| } | ||
| if (options.hasOwnProperty('force')) { | ||
| throw new Error('setIf and force cannot both be specified.') | ||
| } | ||
| } | ||
| if (setIf && force) { | ||
| throw new Error('setIf and force cannot both be specified.') | ||
| if (options.hasOwnProperty('includeSubDomains') && options.hasOwnProperty('includeSubdomains')) { | ||
| throw new Error('includeSubDomains and includeSubdomains cannot both be specified.') | ||
| } | ||
| var maxAge = Math.round(maxAgeMS / 1000) | ||
| var header = 'max-age=' + maxAge | ||
| if (options.includeSubDomains || options.includeSubdomains) { | ||
| var header = 'max-age=' + Math.round(maxAge) | ||
| if (includeSubDomains) { | ||
| header += '; includeSubDomains' | ||
@@ -40,0 +41,0 @@ } |
@@ -8,3 +8,3 @@ { | ||
| "description": "HTTP Strict Transport Security middleware.", | ||
| "version": "1.0.0", | ||
| "version": "2.0.0", | ||
| "license": "MIT", | ||
@@ -25,8 +25,9 @@ "keywords": [ | ||
| "scripts": { | ||
| "test": "standard && mocha" | ||
| "pretest": "standard", | ||
| "test": "mocha" | ||
| }, | ||
| "devDependencies": { | ||
| "mocha": "^2.3.4", | ||
| "sinon": "^1.17.2", | ||
| "standard": "^5.4.1" | ||
| "mocha": "^3.1.2", | ||
| "sinon": "^1.17.6", | ||
| "standard": "^8.5.0" | ||
| }, | ||
@@ -33,0 +34,0 @@ "dependencies": { |
@@ -1,2 +0,2 @@ | ||
| HTTP Strict Transport Security middlware | ||
| HTTP Strict Transport Security middleware | ||
| ======================================== | ||
@@ -6,19 +6,25 @@ [](https://travis-ci.org/helmetjs/hsts) | ||
| This middleware adds the `Strict-Transport-Security` header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". ([See the spec](http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-04) for more.) | ||
| [_Looking for a changelog?_](https://github.com/helmetjs/helmet/blob/master/HISTORY.md) | ||
| This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next ninety days: | ||
| This middleware adds the `Strict-Transport-Security` header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". ([See the spec](http://tools.ietf.org/html/rfc6797) for more.) | ||
| This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next 180 days: | ||
| ```javascript | ||
| var hsts = require('hsts') | ||
| var ninetyDaysInMilliseconds = 7776000000 | ||
| app.use(hsts({ maxAge: ninetyDaysInMilliseconds })) | ||
| app.use(hsts({ | ||
| maxAge: 15552000 // 180 days in seconds | ||
| })) | ||
| // Strict-Transport-Security: max-age: 15552000; includeSubDomains | ||
| ``` | ||
| You can also include subdomains. If this is set on *example.com*, supported browsers will also use HTTPS on *my-subdomain.example.com*. Here's how you do that: | ||
| Note that the max age must be in seconds. *This was different in previous versions of this module!* | ||
| The `includeSubDomains` directive is present by default. If this header is set on *example.com*, supported browsers will also use HTTPS on *my-subdomain.example.com*. You can disable this: | ||
| ```javascript | ||
| app.use(hsts({ | ||
| maxAge: 123000, | ||
| includeSubDomains: true | ||
| maxAge: 15552000, | ||
| includeSubDomains: false | ||
| })) | ||
@@ -31,3 +37,3 @@ ``` | ||
| app.use(hsts({ | ||
| maxAge: 10886400000, // Must be at least 18 weeks to be approved by Google | ||
| maxAge: 10886400, // Must be at least 18 weeks to be approved by Google | ||
| includeSubDomains: true, // Must be enabled to be approved by Google | ||
@@ -38,10 +44,10 @@ preload: true | ||
| This'll be set if `req.secure` is true, a boolean auto-populated by Express. If you're not using Express, that value won't necessarily be set, so you have two options: | ||
| This header will be set `req.secure` is true, a boolean auto-populated by Express. If you're not using Express, that value won't necessarily be set, so you have two options: | ||
| ```javascript | ||
| // Set the header based on conditions | ||
| // Set the header based on a condition | ||
| app.use(hsts({ | ||
| maxAge: 1234000, | ||
| setIf: function(req, res) { | ||
| return Math.random() < 0.5; | ||
| setIf: function (req, res) { | ||
| return req.secure || (req.headers['x-forwarded-proto'] === 'https') | ||
| } | ||
@@ -57,4 +63,2 @@ })) | ||
| Note that the max age is in milliseconds, even though the spec uses seconds. This will round to the nearest full second. | ||
| This only works if your site actually has HTTPS. It won't tell users on HTTP to *switch* to HTTPS, it will just tell HTTPS users to stick around. You can enforce this with the [express-enforces-ssl](https://github.com/aredo/express-enforces-ssl) module. This header is [somewhat well-supported by browsers](http://caniuse.com/#feat=stricttransportsecurity). |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Improved metrics
- Number of lines in readme file
- increased by7.02%
61
- Number of medium supply chain risk alerts
- decreased by-100%
0
Worsened metrics
- Total package byte prevSize
- decreased by-40.64%
6226
- Number of package files
- decreased by-28.57%
5
- Lines of code
- decreased by-69.46%
51
No dependency changes