hsts - npm Package Compare versions
Comparing version 2.1.0 to 2.2.0
14
index.js
@@ -1,7 +0,17 @@ | ||
| var defaultMaxAge = 180 * 24 * 60 * 60 | ||
| var deprecate = require('depd')('hsts') | ||
| var DEFAULT_MAX_AGE = 180 * 24 * 60 * 60 | ||
| module.exports = function hsts (options) { | ||
| options = options || {} | ||
| var maxAge = options.maxAge != null ? options.maxAge : defaultMaxAge | ||
| if ('includeSubdomains' in options) { | ||
| deprecate('The "includeSubdomains" parameter is deprecated. Use "includeSubDomains" (with a capital D) instead.') | ||
| } | ||
| if ('setIf' in options) { | ||
| deprecate('The "setIf" parameter is deprecated. Refer to the documentation to see how to set the header conditionally.') | ||
| } | ||
| var maxAge = options.maxAge != null ? options.maxAge : DEFAULT_MAX_AGE | ||
| var includeSubDomains = (options.includeSubDomains !== false) && (options.includeSubdomains !== false) | ||
@@ -8,0 +18,0 @@ var setIf = options.hasOwnProperty('setIf') ? options.setIf : alwaysTrue |
| { | ||
| "name": "hsts", | ||
| "author": "Adam Baldwin <baldwin@andyet.net> (http://andyet.net/team/baldwin)", | ||
| "author": "Adam Baldwin <adam@npmjs.com> (https://evilpacket.net)", | ||
| "contributors": [ | ||
@@ -8,3 +8,3 @@ "Evan Hahn <me@evanhahn.com> (https://evanhahn.com)" | ||
| "description": "HTTP Strict Transport Security middleware.", | ||
| "version": "2.1.0", | ||
| "version": "2.2.0", | ||
| "license": "MIT", | ||
@@ -23,12 +23,19 @@ "keywords": [ | ||
| }, | ||
| "bugs": "https://github.com/helmetjs/hsts/issues", | ||
| "homepage": "https://helmetjs.github.io/docs/hsts/", | ||
| "bugs": { | ||
| "url": "https://github.com/helmetjs/hsts/issues", | ||
| "email": "me@evanhahn.com" | ||
| }, | ||
| "engines": { | ||
| "node": ">=4.0.0" | ||
| }, | ||
| "scripts": { | ||
| "pretest": "standard", | ||
| "pretest": "standard --fix", | ||
| "test": "mocha" | ||
| }, | ||
| "devDependencies": { | ||
| "connect": "^3.6.2", | ||
| "mocha": "^3.4.2", | ||
| "standard": "^10.0.2", | ||
| "supertest": "^3.0.0" | ||
| "connect": "^3.6.6", | ||
| "mocha": "^6.0.2", | ||
| "standard": "^12.0.1", | ||
| "supertest": "^4.0.0" | ||
| }, | ||
@@ -41,3 +48,6 @@ "standard": { | ||
| ] | ||
| }, | ||
| "dependencies": { | ||
| "depd": "2.0.0" | ||
| } | ||
| } |
@@ -6,4 +6,2 @@ HTTP Strict Transport Security middleware | ||
| [_Looking for a changelog?_](https://github.com/helmetjs/helmet/blob/master/HISTORY.md) | ||
| This middleware adds the `Strict-Transport-Security` header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". ([See the spec](http://tools.ietf.org/html/rfc6797) for more.) Note that the header won't tell users on HTTP to *switch* to HTTPS, it will just tell HTTPS users to stick around. You can enforce HTTPS with the [express-enforces-ssl](https://github.com/aredo/express-enforces-ssl) module. | ||
@@ -14,3 +12,3 @@ | ||
| ```javascript | ||
| var hsts = require('hsts') | ||
| const hsts = require('hsts') | ||
@@ -34,8 +32,8 @@ app.use(hsts({ | ||
| Chrome lets you submit your site for baked-into-Chrome HSTS by adding `preload` to the header. You can add that with the following code, and then submit your site to the Chrome team at [hstspreload.appspot.com](https://hstspreload.appspot.com/). | ||
| Some browsers let you submit your site's HSTS to be baked into the browser. You can add `preload` to the header with the following code. You can check your eligibility and submit your site at [hstspreload.org](https://hstspreload.org/). | ||
| ```javascript | ||
| app.use(hsts({ | ||
| maxAge: 10886400, // Must be at least 18 weeks to be approved by Google | ||
| includeSubDomains: true, // Must be enabled to be approved by Google | ||
| maxAge: 31536000, // Must be at least 1 year to be approved | ||
| includeSubDomains: true, // Must be enabled to be approved | ||
| preload: true | ||
@@ -45,13 +43,18 @@ })) | ||
| This header will always be set because [the header is ignored in insecure HTTP](https://tools.ietf.org/html/rfc6797#section-8.1). If you wish to set it conditionally, you can use `setIf`: | ||
| This header will always be set because [the header is ignored in insecure HTTP](https://tools.ietf.org/html/rfc6797#section-8.1). You may wish to set it conditionally: | ||
| ```javascript | ||
| app.use(hsts({ | ||
| maxAge: 1234000, | ||
| setIf: function (req, res) { | ||
| return req.secure || (req.headers['x-forwarded-proto'] === 'https') | ||
| const hstsMiddleware = hsts({ | ||
| maxAge: 1234000 | ||
| }) | ||
| app.use((req, res, next) => { | ||
| if (req.secure) { | ||
| hstsMiddleware(req, res, next) | ||
| } else { | ||
| next() | ||
| } | ||
| })) | ||
| }) | ||
| ``` | ||
| This header is [somewhat well-supported by browsers](http://caniuse.com/#feat=stricttransportsecurity). | ||
| This header is [somewhat well-supported by browsers](https://caniuse.com/#feat=stricttransportsecurity). |
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
No bug tracker
MaintenancePackage does not have a linked bug tracker in package.json.
Found 1 instance in 1 package
No website
QualityPackage does not have a website.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by23.2%
7164
- Lines of code
- increased by17.07%
48
- Number of low maintenance alerts
- decreased by-50%
1
- Number of lines in readme file
- increased by5.56%
57
Worsened metrics
- Dependency count
- increased byInfinity%
1
Dependency changes
+ Addeddepd@2.0.0
+ Addeddepd@2.0.0(transitive)