Comparing version 2.0.0 to 2.1.0
29
index.js
@@ -1,3 +0,1 @@ | ||
var util = require('core-util-is') | ||
var defaultMaxAge = 180 * 24 * 60 * 60 | ||
@@ -10,4 +8,3 @@ | ||
var includeSubDomains = (options.includeSubDomains !== false) && (options.includeSubdomains !== false) | ||
var force = options.force | ||
var setIf = options.setIf | ||
var setIf = options.hasOwnProperty('setIf') ? options.setIf : alwaysTrue | ||
@@ -20,3 +17,3 @@ if (options.hasOwnProperty('maxage')) { | ||
} | ||
if (!util.isNumber(maxAge)) { | ||
if (typeof maxAge !== 'number') { | ||
throw new TypeError('HSTS must be passed a numeric maxAge parameter.') | ||
@@ -27,9 +24,4 @@ } | ||
} | ||
if (options.hasOwnProperty('setIf')) { | ||
if (!util.isFunction(setIf)) { | ||
throw new TypeError('setIf must be a function.') | ||
} | ||
if (options.hasOwnProperty('force')) { | ||
throw new Error('setIf and force cannot both be specified.') | ||
} | ||
if (typeof setIf !== 'function') { | ||
throw new TypeError('setIf must be a function.') | ||
} | ||
@@ -49,10 +41,3 @@ if (options.hasOwnProperty('includeSubDomains') && options.hasOwnProperty('includeSubdomains')) { | ||
return function hsts (req, res, next) { | ||
var setHeader | ||
if (setIf) { | ||
setHeader = setIf(req, res) | ||
} else { | ||
setHeader = force || req.secure | ||
} | ||
if (setHeader) { | ||
if (setIf(req, res)) { | ||
res.setHeader('Strict-Transport-Security', header) | ||
@@ -64,1 +49,5 @@ } | ||
} | ||
function alwaysTrue () { | ||
return true | ||
} |
@@ -5,6 +5,6 @@ { | ||
"contributors": [ | ||
"Evan Hahn <me@evanhahn.com> (http://evanhahn.com)" | ||
"Evan Hahn <me@evanhahn.com> (https://evanhahn.com)" | ||
], | ||
"description": "HTTP Strict Transport Security middleware.", | ||
"version": "2.0.0", | ||
"version": "2.1.0", | ||
"license": "MIT", | ||
@@ -29,9 +29,7 @@ "keywords": [ | ||
"devDependencies": { | ||
"mocha": "^3.1.2", | ||
"sinon": "^1.17.6", | ||
"standard": "^8.5.0" | ||
"connect": "^3.6.2", | ||
"mocha": "^3.4.2", | ||
"standard": "^10.0.2", | ||
"supertest": "^3.0.0" | ||
}, | ||
"dependencies": { | ||
"core-util-is": "1.0.2" | ||
}, | ||
"standard": { | ||
@@ -38,0 +36,0 @@ "globals": [ |
@@ -8,3 +8,3 @@ HTTP Strict Transport Security middleware | ||
This middleware adds the `Strict-Transport-Security` header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". ([See the spec](http://tools.ietf.org/html/rfc6797) for more.) | ||
This middleware adds the `Strict-Transport-Security` header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". ([See the spec](http://tools.ietf.org/html/rfc6797) for more.) Note that the header won't tell users on HTTP to *switch* to HTTPS, it will just tell HTTPS users to stick around. You can enforce HTTPS with the [express-enforces-ssl](https://github.com/aredo/express-enforces-ssl) module. | ||
@@ -43,6 +43,5 @@ This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next 180 days: | ||
This header will be set `req.secure` is true, a boolean auto-populated by Express. If you're not using Express, that value won't necessarily be set, so you have two options: | ||
This header will always be set because [the header is ignored in insecure HTTP](https://tools.ietf.org/html/rfc6797#section-8.1). If you wish to set it conditionally, you can use `setIf`: | ||
```javascript | ||
// Set the header based on a condition | ||
app.use(hsts({ | ||
@@ -54,10 +53,4 @@ maxAge: 1234000, | ||
})) | ||
// ALWAYS set the header | ||
app.use(hsts({ | ||
maxAge: 1234000, | ||
force: true | ||
})) | ||
``` | ||
This only works if your site actually has HTTPS. It won't tell users on HTTP to *switch* to HTTPS, it will just tell HTTPS users to stick around. You can enforce this with the [express-enforces-ssl](https://github.com/aredo/express-enforces-ssl) module. This header is [somewhat well-supported by browsers](http://caniuse.com/#feat=stricttransportsecurity). | ||
This header is [somewhat well-supported by browsers](http://caniuse.com/#feat=stricttransportsecurity). |
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
0
5815
4
41
54
- Removedcore-util-is@1.0.2
- Removedcore-util-is@1.0.2(transitive)