The 'hsts' npm package is used to set the HTTP Strict Transport Security (HSTS) header in web applications. This header is used to enforce secure (HTTP over SSL/TLS) connections to the server.
Basic HSTS Header Setup
This code sets up a basic Express server and uses the 'hsts' middleware to set the HSTS header with a max age of 1 year (31536000 seconds).
const hsts = require('hsts');
const express = require('express');
const app = express();
app.use(hsts({ maxAge: 31536000 })); // 1 year in seconds
app.get('/', (req, res) => {
res.send('Hello, world!');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});HSTS with Subdomains
This code sets the HSTS header to include subdomains by setting the 'includeSubDomains' option to true.
const hsts = require('hsts');
const express = require('express');
const app = express();
app.use(hsts({ maxAge: 31536000, includeSubDomains: true }));
app.get('/', (req, res) => {
res.send('Hello, world!');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});HSTS with Preload
This code sets the HSTS header with the 'preload' option, which allows the domain to be included in browsers' HSTS preload lists.
const hsts = require('hsts');
const express = require('express');
const app = express();
app.use(hsts({ maxAge: 31536000, preload: true }));
app.get('/', (req, res) => {
res.send('Hello, world!');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});Helmet is a comprehensive security middleware for Express applications. It includes various security headers, including HSTS, making it a more feature-rich alternative to the 'hsts' package. Helmet can be used to set multiple security headers with a single middleware.
This middleware adds the Strict-Transport-Security header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". (See the spec for more.) Note that the header won't tell users on HTTP to switch to HTTPS, it will just tell HTTPS users to stick around. You can enforce HTTPS with the express-enforces-ssl module.
This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next 180 days:
var hsts = require('hsts')
app.use(hsts({
maxAge: 15552000 // 180 days in seconds
}))
// Strict-Transport-Security: max-age: 15552000; includeSubDomains
Note that the max age must be in seconds. This was different in previous versions of this module!
The includeSubDomains directive is present by default. If this header is set on example.com, supported browsers will also use HTTPS on my-subdomain.example.com. You can disable this:
app.use(hsts({
maxAge: 15552000,
includeSubDomains: false
}))
Chrome lets you submit your site for baked-into-Chrome HSTS by adding preload to the header. You can add that with the following code, and then submit your site to the Chrome team at hstspreload.appspot.com.
app.use(hsts({
maxAge: 10886400, // Must be at least 18 weeks to be approved by Google
includeSubDomains: true, // Must be enabled to be approved by Google
preload: true
}))
This header will always be set because the header is ignored in insecure HTTP. If you wish to set it conditionally, you can use setIf:
app.use(hsts({
maxAge: 1234000,
setIf: function (req, res) {
return req.secure || (req.headers['x-forwarded-proto'] === 'https')
}
}))
This header is somewhat well-supported by browsers.
FAQs
HTTP Strict Transport Security middleware.
The npm package hsts receives a total of 449,931 weekly downloads. As such, hsts popularity was classified as popular.
We found that hsts demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A developer is accusing Tencent of violating the GPL by modifying a Python utility and changing its license to BSD, highlighting the importance of copyleft compliance.
Security News
In an open letter, JavaScript community leaders urge Oracle to give up the JavaScript trademark, arguing that it has been effectively abandoned through nonuse.
Security News
The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.