fix: hsts header (#790)

awslabs · Nov 10, 2021 · 66f79f2 · 66f79f2
1 parent 0967129
commit 66f79f2
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/addons/addon-base-rest-api/packages/api-handler-factory/lib/handler.js b/addons/addon-base-rest-api/packages/api-handler-factory/lib/handler.js
@@ -54,6 +54,16 @@ function handlerFactory({ registerServices, registerRoutes }) {
     // register routes
     await registerRoutes(appContext, apiRouter);
 
+    // Implement HSTS before any other controller (https://www.maxivanov.io/http-strict-transport-security/)
+    // max-age = 63072000 which is 1 year
+    // includeSubDomains to protect subdomains of the site with HSTS as well (recommended)
+    app.use((req, res, next) => {
+      if (req.secure) {
+        res.setHeader('Strict-Transport-Security', 'max-age=63072000; includeSubDomains');
+      }
+      next();
+    });
+
     // setup CORS, compression and body parser
     const isDev = settingsService.get('envType') === 'dev';
     let allowList = settingsService.optionalObject('corsAllowList', []);