Add HTTPS public key pinning
This commit is contained in:
Tankred Hase
parent
68fba28dd9
commit
4b183c8976
|
|
@ -219,6 +219,8 @@ npm start
|
|||
The `config/development.js` file can be used to configure a local development installation. For production use, the following environment variables need to be set:
|
||||
|
||||
* NODE_ENV=production
|
||||
* UPGRADE_HTTPS=true (upgrade HTTP to HTTPS and use [HSTS](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security))
|
||||
* PUBLIC_KEY_PIN=<base64 encoded sha256> (use [HPKP](https://developer.mozilla.org/de/docs/Web/Security/Public_Key_Pinning))
|
||||
* MONGO_URI=127.0.0.1:27017/test_db
|
||||
* MONGO_USER=db_user
|
||||
* MONGO_PASS=db_password
|
||||
|
|
|
|||
|
|
@ -6,6 +6,8 @@ module.exports = {
|
|||
|
||||
server: {
|
||||
port: process.env.PORT || 8888,
|
||||
upgradeHTTPS: process.env.UPGRADE_HTTPS,
|
||||
publicKeyPin: process.env.PUBLIC_KEY_PIN
|
||||
},
|
||||
|
||||
mongo: {
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ module.exports = {
|
|||
},
|
||||
|
||||
server: {
|
||||
upgradeHTTP: true
|
||||
},
|
||||
upgradeHTTPS: process.env.UPGRADE_HTTPS || true // use HTTPS by default
|
||||
}
|
||||
|
||||
};
|
||||
25
src/app.js
25
src/app.js
|
|
@ -73,9 +73,23 @@ router.get('/user/:search', function *() {
|
|||
// display homepage
|
||||
router.get('/', home);
|
||||
|
||||
// Redirect all http traffic to https
|
||||
app.use(function *(next) {
|
||||
if (util.isTrue(config.server.upgradeHTTPS) && util.checkHTTP(this)) {
|
||||
this.redirect('https://' + this.hostname + this.url);
|
||||
} else {
|
||||
yield next;
|
||||
}
|
||||
});
|
||||
|
||||
// Set HTTP response headers
|
||||
app.use(function *(next) {
|
||||
this.set('Strict-Transport-Security', 'max-age=16070400');
|
||||
if (util.isTrue(config.server.upgradeHTTPS)) {
|
||||
this.set('Strict-Transport-Security', 'max-age=31536000');
|
||||
}
|
||||
if (config.server.publicKeyPin) {
|
||||
this.set('Public-Key-Pins', 'pin-sha256="' + config.server.publicKeyPin + '"');
|
||||
}
|
||||
this.set('Access-Control-Allow-Origin', '*');
|
||||
this.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
|
||||
this.set('Access-Control-Allow-Headers', 'Content-Type');
|
||||
|
|
@ -84,15 +98,6 @@ app.use(function *(next) {
|
|||
yield next;
|
||||
});
|
||||
|
||||
// Redirect all http traffic to https
|
||||
app.use(function *(next) {
|
||||
if (config.server.upgradeHTTP && util.checkHTTP(this)) {
|
||||
this.redirect('https://' + this.hostname + this.url);
|
||||
} else {
|
||||
yield next;
|
||||
}
|
||||
});
|
||||
|
||||
app.use(router.routes());
|
||||
app.use(router.allowedMethods());
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user