hsts - npm Package Compare versions
Comparing version 2.0.0 to 2.1.0
29
index.js
@@ -1,3 +0,1 @@ | ||
| var util = require('core-util-is') | ||
| var defaultMaxAge = 180 * 24 * 60 * 60 | ||
@@ -10,4 +8,3 @@ | ||
| var includeSubDomains = (options.includeSubDomains !== false) && (options.includeSubdomains !== false) | ||
| var force = options.force | ||
| var setIf = options.setIf | ||
| var setIf = options.hasOwnProperty('setIf') ? options.setIf : alwaysTrue | ||
@@ -20,3 +17,3 @@ if (options.hasOwnProperty('maxage')) { | ||
| } | ||
| if (!util.isNumber(maxAge)) { | ||
| if (typeof maxAge !== 'number') { | ||
| throw new TypeError('HSTS must be passed a numeric maxAge parameter.') | ||
@@ -27,9 +24,4 @@ } | ||
| } | ||
| if (options.hasOwnProperty('setIf')) { | ||
| if (!util.isFunction(setIf)) { | ||
| throw new TypeError('setIf must be a function.') | ||
| } | ||
| if (options.hasOwnProperty('force')) { | ||
| throw new Error('setIf and force cannot both be specified.') | ||
| } | ||
| if (typeof setIf !== 'function') { | ||
| throw new TypeError('setIf must be a function.') | ||
| } | ||
@@ -49,10 +41,3 @@ if (options.hasOwnProperty('includeSubDomains') && options.hasOwnProperty('includeSubdomains')) { | ||
| return function hsts (req, res, next) { | ||
| var setHeader | ||
| if (setIf) { | ||
| setHeader = setIf(req, res) | ||
| } else { | ||
| setHeader = force || req.secure | ||
| } | ||
| if (setHeader) { | ||
| if (setIf(req, res)) { | ||
| res.setHeader('Strict-Transport-Security', header) | ||
@@ -64,1 +49,5 @@ } | ||
| } | ||
| function alwaysTrue () { | ||
| return true | ||
| } |
@@ -5,6 +5,6 @@ { | ||
| "contributors": [ | ||
| "Evan Hahn <me@evanhahn.com> (http://evanhahn.com)" | ||
| "Evan Hahn <me@evanhahn.com> (https://evanhahn.com)" | ||
| ], | ||
| "description": "HTTP Strict Transport Security middleware.", | ||
| "version": "2.0.0", | ||
| "version": "2.1.0", | ||
| "license": "MIT", | ||
@@ -29,9 +29,7 @@ "keywords": [ | ||
| "devDependencies": { | ||
| "mocha": "^3.1.2", | ||
| "sinon": "^1.17.6", | ||
| "standard": "^8.5.0" | ||
| "connect": "^3.6.2", | ||
| "mocha": "^3.4.2", | ||
| "standard": "^10.0.2", | ||
| "supertest": "^3.0.0" | ||
| }, | ||
| "dependencies": { | ||
| "core-util-is": "1.0.2" | ||
| }, | ||
| "standard": { | ||
@@ -38,0 +36,0 @@ "globals": [ |
@@ -8,3 +8,3 @@ HTTP Strict Transport Security middleware | ||
| This middleware adds the `Strict-Transport-Security` header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". ([See the spec](http://tools.ietf.org/html/rfc6797) for more.) | ||
| This middleware adds the `Strict-Transport-Security` header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". ([See the spec](http://tools.ietf.org/html/rfc6797) for more.) Note that the header won't tell users on HTTP to *switch* to HTTPS, it will just tell HTTPS users to stick around. You can enforce HTTPS with the [express-enforces-ssl](https://github.com/aredo/express-enforces-ssl) module. | ||
@@ -43,6 +43,5 @@ This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next 180 days: | ||
| This header will be set `req.secure` is true, a boolean auto-populated by Express. If you're not using Express, that value won't necessarily be set, so you have two options: | ||
| This header will always be set because [the header is ignored in insecure HTTP](https://tools.ietf.org/html/rfc6797#section-8.1). If you wish to set it conditionally, you can use `setIf`: | ||
| ```javascript | ||
| // Set the header based on a condition | ||
| app.use(hsts({ | ||
@@ -54,10 +53,4 @@ maxAge: 1234000, | ||
| })) | ||
| // ALWAYS set the header | ||
| app.use(hsts({ | ||
| maxAge: 1234000, | ||
| force: true | ||
| })) | ||
| ``` | ||
| This only works if your site actually has HTTPS. It won't tell users on HTTP to *switch* to HTTPS, it will just tell HTTPS users to stick around. You can enforce this with the [express-enforces-ssl](https://github.com/aredo/express-enforces-ssl) module. This header is [somewhat well-supported by browsers](http://caniuse.com/#feat=stricttransportsecurity). | ||
| This header is [somewhat well-supported by browsers](http://caniuse.com/#feat=stricttransportsecurity). |
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Dependency count
- decreased by-100%
0
Worsened metrics
- Total package byte prevSize
- decreased by-6.6%
5815
- Dev dependency count
- increased by33.33%
4
- Lines of code
- decreased by-19.61%
41
- Number of lines in readme file
- decreased by-11.48%
54
Dependency changes
- Removedcore-util-is@1.0.2
- Removedcore-util-is@1.0.2(transitive)