From 66f79f2264f2850a79311dea647718354cb7bde3 Mon Sep 17 00:00:00 2001
From: Marianna Ghirardelli <43092418+maghirardelli@users.noreply.github.com>
Date: Wed, 10 Nov 2021 16:14:11 -0500
Subject: [PATCH] fix: hsts header (#790)

---
 .../packages/api-handler-factory/lib/handler.js        | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/addons/addon-base-rest-api/packages/api-handler-factory/lib/handler.js b/addons/addon-base-rest-api/packages/api-handler-factory/lib/handler.js
index e960e79a9b..4da5449091 100644
--- a/addons/addon-base-rest-api/packages/api-handler-factory/lib/handler.js
+++ b/addons/addon-base-rest-api/packages/api-handler-factory/lib/handler.js
@@ -54,6 +54,16 @@ function handlerFactory({ registerServices, registerRoutes }) {
     // register routes
     await registerRoutes(appContext, apiRouter);
 
+    // Implement HSTS before any other controller (https://www.maxivanov.io/http-strict-transport-security/)
+    // max-age = 63072000 which is 1 year
+    // includeSubDomains to protect subdomains of the site with HSTS as well (recommended)
+    app.use((req, res, next) => {
+      if (req.secure) {
+        res.setHeader('Strict-Transport-Security', 'max-age=63072000; includeSubDomains');
+      }
+      next();
+    });
+
     // setup CORS, compression and body parser
     const isDev = settingsService.get('envType') === 'dev';
     let allowList = settingsService.optionalObject('corsAllowList', []);