search

FoalTS / foal

Full-featured Node.js framework 🚀
https://foalts.org/
MIT License
1.9k stars 142 forks source link

Strict-Transport-Security header #1146

Closed MuppetPower closed 2 years ago

MuppetPower commented 2 years ago

I see that createApp sets the Strict-Transport-Security header to 'max-age=15552000; includeSubDomains'

Is there a reason it is 15552000 rather than the usual best practice value of 31536000?

I tried to set the header though express but the value from Foal persists and I don't think there is another way to override it?

I'd be happy to create a PR to change it, but I'm not sure if there is a reason that wouldn't be a good idea.

LoicPoullain commented 2 years ago

Is there a reason it is 15552000 rather than the usual best practice value of 31536000?

This is the value used by default in Helmet. Do you have a particular source that would define 31536000 as a better value?

I tried to set the header though express but the value from Foal persists and I don't think there is another way to override it?

You can do it with a post-hook function like this:

@Hook(() => response => response.setHeader('header-name', 'value'))
export class AppController {}
MuppetPower commented 2 years ago

This is the value used by default in Helmet. Do you have a particular source that would define 31536000 as a better value?

Here are a few sources - for me it came up in a pen test.

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html https://stackoverflow.com/questions/48497736/what-is-max-age-property-in-hsts-security-header https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/http-strict-transport-security-hsts-max-age-value-too-low/

You can do it with a post-hook function like this:

ah of course, thanks!

MuppetPower commented 2 years ago

Also, you can override the setting in helmet, but it will be changed by Foal unless you have your own hook.

helmet({ hsts: { maxAge: 31536000 } })

LoicPoullain commented 2 years ago

Here are a few sources - for me it came up in a pen test.

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html https://stackoverflow.com/questions/48497736/what-is-max-age-property-in-hsts-security-header https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/http-strict-transport-security-hsts-max-age-value-too-low/

Thank you for the links. Let's go with the one-year value then. Do you want to submit a PR?

It should be straightforward with a global search on the repository. If you need some help, feel free to let me know!

LoicPoullain commented 2 years ago

Hi @MuppetPower 👋

I'm closing the issue as there has been no activity on it in the last two weeks. Feel free to re-open it and submit a PR if you feel like it. 👍

MuppetPower commented 2 years ago

I'm not sure if I've done it correctly but have opened a PR for this now : https://github.com/FoalTS/foal/pull/1155