Comparing version 2.1.0 to 2.2.0
14
index.js
@@ -1,7 +0,17 @@ | ||
var defaultMaxAge = 180 * 24 * 60 * 60 | ||
var deprecate = require('depd')('hsts') | ||
var DEFAULT_MAX_AGE = 180 * 24 * 60 * 60 | ||
module.exports = function hsts (options) { | ||
options = options || {} | ||
var maxAge = options.maxAge != null ? options.maxAge : defaultMaxAge | ||
if ('includeSubdomains' in options) { | ||
deprecate('The "includeSubdomains" parameter is deprecated. Use "includeSubDomains" (with a capital D) instead.') | ||
} | ||
if ('setIf' in options) { | ||
deprecate('The "setIf" parameter is deprecated. Refer to the documentation to see how to set the header conditionally.') | ||
} | ||
var maxAge = options.maxAge != null ? options.maxAge : DEFAULT_MAX_AGE | ||
var includeSubDomains = (options.includeSubDomains !== false) && (options.includeSubdomains !== false) | ||
@@ -8,0 +18,0 @@ var setIf = options.hasOwnProperty('setIf') ? options.setIf : alwaysTrue |
{ | ||
"name": "hsts", | ||
"author": "Adam Baldwin <baldwin@andyet.net> (http://andyet.net/team/baldwin)", | ||
"author": "Adam Baldwin <adam@npmjs.com> (https://evilpacket.net)", | ||
"contributors": [ | ||
@@ -8,3 +8,3 @@ "Evan Hahn <me@evanhahn.com> (https://evanhahn.com)" | ||
"description": "HTTP Strict Transport Security middleware.", | ||
"version": "2.1.0", | ||
"version": "2.2.0", | ||
"license": "MIT", | ||
@@ -23,12 +23,19 @@ "keywords": [ | ||
}, | ||
"bugs": "https://github.com/helmetjs/hsts/issues", | ||
"homepage": "https://helmetjs.github.io/docs/hsts/", | ||
"bugs": { | ||
"url": "https://github.com/helmetjs/hsts/issues", | ||
"email": "me@evanhahn.com" | ||
}, | ||
"engines": { | ||
"node": ">=4.0.0" | ||
}, | ||
"scripts": { | ||
"pretest": "standard", | ||
"pretest": "standard --fix", | ||
"test": "mocha" | ||
}, | ||
"devDependencies": { | ||
"connect": "^3.6.2", | ||
"mocha": "^3.4.2", | ||
"standard": "^10.0.2", | ||
"supertest": "^3.0.0" | ||
"connect": "^3.6.6", | ||
"mocha": "^6.0.2", | ||
"standard": "^12.0.1", | ||
"supertest": "^4.0.0" | ||
}, | ||
@@ -41,3 +48,6 @@ "standard": { | ||
] | ||
}, | ||
"dependencies": { | ||
"depd": "2.0.0" | ||
} | ||
} |
@@ -6,4 +6,2 @@ HTTP Strict Transport Security middleware | ||
[_Looking for a changelog?_](https://github.com/helmetjs/helmet/blob/master/HISTORY.md) | ||
This middleware adds the `Strict-Transport-Security` header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". ([See the spec](http://tools.ietf.org/html/rfc6797) for more.) Note that the header won't tell users on HTTP to *switch* to HTTPS, it will just tell HTTPS users to stick around. You can enforce HTTPS with the [express-enforces-ssl](https://github.com/aredo/express-enforces-ssl) module. | ||
@@ -14,3 +12,3 @@ | ||
```javascript | ||
var hsts = require('hsts') | ||
const hsts = require('hsts') | ||
@@ -34,8 +32,8 @@ app.use(hsts({ | ||
Chrome lets you submit your site for baked-into-Chrome HSTS by adding `preload` to the header. You can add that with the following code, and then submit your site to the Chrome team at [hstspreload.appspot.com](https://hstspreload.appspot.com/). | ||
Some browsers let you submit your site's HSTS to be baked into the browser. You can add `preload` to the header with the following code. You can check your eligibility and submit your site at [hstspreload.org](https://hstspreload.org/). | ||
```javascript | ||
app.use(hsts({ | ||
maxAge: 10886400, // Must be at least 18 weeks to be approved by Google | ||
includeSubDomains: true, // Must be enabled to be approved by Google | ||
maxAge: 31536000, // Must be at least 1 year to be approved | ||
includeSubDomains: true, // Must be enabled to be approved | ||
preload: true | ||
@@ -45,13 +43,18 @@ })) | ||
This header will always be set because [the header is ignored in insecure HTTP](https://tools.ietf.org/html/rfc6797#section-8.1). If you wish to set it conditionally, you can use `setIf`: | ||
This header will always be set because [the header is ignored in insecure HTTP](https://tools.ietf.org/html/rfc6797#section-8.1). You may wish to set it conditionally: | ||
```javascript | ||
app.use(hsts({ | ||
maxAge: 1234000, | ||
setIf: function (req, res) { | ||
return req.secure || (req.headers['x-forwarded-proto'] === 'https') | ||
const hstsMiddleware = hsts({ | ||
maxAge: 1234000 | ||
}) | ||
app.use((req, res, next) => { | ||
if (req.secure) { | ||
hstsMiddleware(req, res, next) | ||
} else { | ||
next() | ||
} | ||
})) | ||
}) | ||
``` | ||
This header is [somewhat well-supported by browsers](http://caniuse.com/#feat=stricttransportsecurity). | ||
This header is [somewhat well-supported by browsers](https://caniuse.com/#feat=stricttransportsecurity). |
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
No bug tracker
MaintenancePackage does not have a linked bug tracker in package.json.
Found 1 instance in 1 package
No website
QualityPackage does not have a website.
Found 1 instance in 1 package
7164
48
1
57
1
+ Addeddepd@2.0.0
+ Addeddepd@2.0.0(transitive)