From 56162a01d93b04c9119f0c6e35d01a544274292c Mon Sep 17 00:00:00 2001
From: Tankred Hase <mail@tankredhase.de>
Date: Tue, 7 Jun 2016 20:43:09 +0200
Subject: [PATCH] Use HSTS and HTTPS forwarding

---
 src/app.js | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/app.js b/src/app.js
index 5e58fd3..d4a4862 100644
--- a/src/app.js
+++ b/src/app.js
@@ -70,6 +70,7 @@ router.get('/user/:email', function *() { // shorthand link for sharing
 
 // Set HTTP response headers
 app.use(function *(next) {
+  this.set('Strict-Transport-Security', 'max-age=16070400');
   this.set('Access-Control-Allow-Origin', '*');
   this.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
   this.set('Access-Control-Allow-Headers', 'Content-Type');
@@ -79,6 +80,15 @@ app.use(function *(next) {
   yield next;
 });
 
+// Redirect all http traffic to https
+app.use(function *(next) {
+  if (process.env.NODE_ENV === 'production' && !this.secure && this.get('X-Forwarded-Proto') === 'http') {
+    this.redirect('https://' + this.hostname + this.url);
+  } else {
+    yield next;
+  }
+});
+
 app.use(router.routes());
 app.use(router.allowedMethods());