JavaScript

JavaScript

Made by DeepSource

Avoid insecure HTTP strict transport security JS-S1002

Security
Critical
Autofix

When using NodeJS and express, policies for HTTPS can be configured through the helmet library. The insecureSubdomains policy determines whether the website will redirect to an HTTPS version when an HTTP one is requested.

When applying strict transport policies while configuring HTTPS, it is recommended to apply the policies to all subdomains. Websites that support HTTPS will redirect to their HTTPS versions even when an HTTP version is requested by a client. These redirects are not encrypted and are therefore vulnerable to MITM attacks. The Strict-Transport-Security policy header (HSTS) set by an application instructs the web browser to convert any HTTP request to HTTPS.

Web browsers that see the Strict-Transport-Security policy header for the first time record information specified in the header:

  • The max-age directive specifies how long the policy should be kept on the web browser.
  • The includeSubDomains optional directive, which specifies if the policy should apply on all sub-domains or not.
  • The preload optional directive is not part of the HSTS specification but supported on all modern web browsers.

Bad Practice

import express from 'express';
import helmet from 'helmet';

const app = express();
app.use(helmet.hsts({ includeSubDomains: false }));

Recommended

import express from 'express';
import helmet from 'helmet';

const app = express();
app.use(helmet.hsts({ includeSubDomains: true }));