Don't use HSTS on localhost.

Don't set the Strict-Transport-Security header, which causes browsers to make all further connections to the same host by HTTPS even when the user requests HTTP, when accessed as "localhost", because that breaks all other non-HTTPS services a user may have running on their machine, and the saved setting is a pain to get out of the system especially with Safari, where it also affects other applications that use the OS HTTP APIs (here's how: https://apple.stackexchange.com/questions/227662/how-do-i-fully-flush-cached-redirects-from-safari/285468#288002).
fablabwinti · Dec 26, 2023 · 7f9433b · 7f9433b
1 parent 04e7c4c
commit 7f9433b
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/server.js b/server.js
@@ -15,7 +15,13 @@ const helmet = require('helmet');
 var app = express();
 
 // init helmet (header security)
-app.use(helmet());
+// (but not HSTS when used on localhost as that will break all other non-HTTPS services on your machine)
+app.use(helmet({
+    hsts: {
+        maxAge: 864000,
+        setIf: function(req, res) { return !(req.headers.host && req.headers.host.includes('localhost')); }
+    }
+}));
 
 // init bodyParser
 app.use(bodyParser.urlencoded({ extended: true }));