How to set HSTS security option globally on `Server` instance level

[Redouane64]

Support plan

• is this issue currently blocking your project? (yes/no): no
• is this issue affecting a production system? (yes/no): yes

Context

• node version: 12.22.1
• module version: 20.0.8
• environment (e.g. node, browser, native): node
• used with (e.g. hapi application, another framework, standalone, ...): hapi application v20.0.8
• any other relevant information: using typescript

How can we help?

How to set HSTS options on server instance instead of per route, currently this is not allowed:

const server = new Server({
        host: '127.0.0.1',
        port: 3333,
        state: {
            strictHeader: true
        },
        security: {
            hsts: {
                includeSubDomains: true,
                preload: true,
                maxAge: 15768000
            }
        }
    })

However, i can set it per route, like this:

    server.route({
        method: 'GET',
        path: '/',
        handler: () => ({ message: 'GET' }),
        options: {
            security: {
                hsts: {
                    includeSubDomains: true,
                    preload: true,
                    maxAge: 15768000
                },
                xss: ...
            }
        }
    })

In my application, too many routes defined and i want to apply HSTS globally for all routes.

[devinivy]

Glad to report this should be an easy fix! The server-wide route configs go under routes in the server configuration:

const server = new Server({
    host: '127.0.0.1',
    port: 3333,
    state: {
        strictHeader: true
    },
    routes: {
        security: {
            hsts: {
                includeSubDomains: true,
                preload: true,
                maxAge: 15768000
            }
        }
    }
})