Add HTTPS public key pinning

This commit is contained in:
Tankred Hase 2016-06-10 17:48:41 +02:00
parent 68fba28dd9
commit 4b183c8976
4 changed files with 21 additions and 12 deletions

View File

@ -219,6 +219,8 @@ npm start
The `config/development.js` file can be used to configure a local development installation. For production use, the following environment variables need to be set: The `config/development.js` file can be used to configure a local development installation. For production use, the following environment variables need to be set:
* NODE_ENV=production * NODE_ENV=production
* UPGRADE_HTTPS=true (upgrade HTTP to HTTPS and use [HSTS](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security))
* PUBLIC_KEY_PIN=<base64 encoded sha256> (use [HPKP](https://developer.mozilla.org/de/docs/Web/Security/Public_Key_Pinning))
* MONGO_URI=127.0.0.1:27017/test_db * MONGO_URI=127.0.0.1:27017/test_db
* MONGO_USER=db_user * MONGO_USER=db_user
* MONGO_PASS=db_password * MONGO_PASS=db_password

View File

@ -6,6 +6,8 @@ module.exports = {
server: { server: {
port: process.env.PORT || 8888, port: process.env.PORT || 8888,
upgradeHTTPS: process.env.UPGRADE_HTTPS,
publicKeyPin: process.env.PUBLIC_KEY_PIN
}, },
mongo: { mongo: {

View File

@ -5,7 +5,7 @@ module.exports = {
}, },
server: { server: {
upgradeHTTP: true upgradeHTTPS: process.env.UPGRADE_HTTPS || true // use HTTPS by default
}, }
}; };

View File

@ -73,9 +73,23 @@ router.get('/user/:search', function *() {
// display homepage // display homepage
router.get('/', home); router.get('/', home);
// Redirect all http traffic to https
app.use(function *(next) {
if (util.isTrue(config.server.upgradeHTTPS) && util.checkHTTP(this)) {
this.redirect('https://' + this.hostname + this.url);
} else {
yield next;
}
});
// Set HTTP response headers // Set HTTP response headers
app.use(function *(next) { app.use(function *(next) {
this.set('Strict-Transport-Security', 'max-age=16070400'); if (util.isTrue(config.server.upgradeHTTPS)) {
this.set('Strict-Transport-Security', 'max-age=31536000');
}
if (config.server.publicKeyPin) {
this.set('Public-Key-Pins', 'pin-sha256="' + config.server.publicKeyPin + '"');
}
this.set('Access-Control-Allow-Origin', '*'); this.set('Access-Control-Allow-Origin', '*');
this.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS'); this.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
this.set('Access-Control-Allow-Headers', 'Content-Type'); this.set('Access-Control-Allow-Headers', 'Content-Type');
@ -84,15 +98,6 @@ app.use(function *(next) {
yield next; yield next;
}); });
// Redirect all http traffic to https
app.use(function *(next) {
if (config.server.upgradeHTTP && util.checkHTTP(this)) {
this.redirect('https://' + this.hostname + this.url);
} else {
yield next;
}
});
app.use(router.routes()); app.use(router.routes());
app.use(router.allowedMethods()); app.use(router.allowedMethods());