Closed webketje closed 4 months ago
Good idea. We should change the default to 1 year.
This probably means updating this line:
And then updating all the tests that fail, which I hope is easy.
Closed in #459. Thanks to @webketje for raising this issue and @sohrb for addressing it!
Code: https://github.com/helmetjs/helmet/blob/main/middlewares/strict-transport-security/index.ts#L3
During a pen-test on our app, the current setting of 180 days was flagged as sub-optimal. When searching via the web, almost all authoritative websites default the max-age to 1 year as recommendation/ in their examples.
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html (recommendation) https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/configure-http-strict-transport-security-in-exchange-server?view=exchserver-2019 (recommendation) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security (examples) https://hstspreload.org (validation error when < 1 year)
Note: semver-major so probably for v8