express-sslify icon indicating copy to clipboard operation
express-sslify copied to clipboard

Published 20 hours ago verified publisher icon florianheinemann

Add option for setting HSTS headers

Open edmorley opened this issue 9 years ago • 0 comments

If Strict-Transport-Security headers are not set, it's trivial to strip SSL on connections made later from insecure networks (see https://vimeo.com/50018478#t=23m30s).

As such, I think it makes sense for express-sslify to: (a) have an option to set HSTS headers (b) for that option to be enabled by default

Whilst currently users can combine express-sslify with https://github.com/helmetjs/hsts , I think having this functionality in-built makes sense.

This would be similar to what wgsi-sslify (a Python WGSI equivalent of this project) does: https://github.com/jacobian/wsgi-sslify/blob/c2d25e5cb735029d7f1f37af8ad9d30988373f89/wsgi_sslify.py#L20-L23

edmorley avatar Feb 20 '16 16:02 edmorley