From ab566356870a1cdc4c451891664c4e9de8d4c396 Mon Sep 17 00:00:00 2001
From: Sohrab Chegini <sohrab.chegini@gmail.com>
Date: Sat, 27 Apr 2024 18:55:16 +0330
Subject: [PATCH] Strict-Transport-Security: increase max-age to 1 year

See [#457] and [#459].

[#457]: https://github.com/helmetjs/helmet/issues/457
[#459]: https://github.com/helmetjs/helmet/pull/459
---
 middlewares/strict-transport-security/index.ts |  2 +-
 test/index.test.ts                             |  2 +-
 test/strict-transport-security.test.ts         | 10 +++++-----
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/middlewares/strict-transport-security/index.ts b/middlewares/strict-transport-security/index.ts
index ea242ba..fa6e773 100644
--- a/middlewares/strict-transport-security/index.ts
+++ b/middlewares/strict-transport-security/index.ts
@@ -1,6 +1,6 @@
 import type { IncomingMessage, ServerResponse } from "http";
 
-const DEFAULT_MAX_AGE = 180 * 24 * 60 * 60;
+const DEFAULT_MAX_AGE = 365 * 24 * 60 * 60;
 
 export interface StrictTransportSecurityOptions {
   maxAge?: number;
diff --git a/test/index.test.ts b/test/index.test.ts
index ed9738c..5604e25 100644
--- a/test/index.test.ts
+++ b/test/index.test.ts
@@ -35,7 +35,7 @@ describe("helmet", () => {
       "cross-origin-resource-policy": "same-origin",
       "origin-agent-cluster": "?1",
       "referrer-policy": "no-referrer",
-      "strict-transport-security": "max-age=15552000; includeSubDomains",
+      "strict-transport-security": "max-age=31536000; includeSubDomains",
       "x-content-type-options": "nosniff",
       "x-dns-prefetch-control": "off",
       "x-download-options": "noopen",
diff --git a/test/strict-transport-security.test.ts b/test/strict-transport-security.test.ts
index fa132e6..dc1d780 100644
--- a/test/strict-transport-security.test.ts
+++ b/test/strict-transport-security.test.ts
@@ -3,10 +3,10 @@ import strictTransportSecurity from "../middlewares/strict-transport-security";
 
 describe("Strict-Transport-Security middleware", () => {
   it('by default, sets max-age to 180 days and adds "includeSubDomains"', async () => {
-    expect(15552000).toStrictEqual(180 * 24 * 60 * 60);
+    expect(31536000).toStrictEqual(365 * 24 * 60 * 60);
 
     const expectedHeaders = {
-      "strict-transport-security": "max-age=15552000; includeSubDomains",
+      "strict-transport-security": "max-age=31536000; includeSubDomains",
     };
 
     await check(strictTransportSecurity(), expectedHeaders);
@@ -45,20 +45,20 @@ describe("Strict-Transport-Security middleware", () => {
 
   it("disables subdomains with the includeSubDomains option", async () => {
     await check(strictTransportSecurity({ includeSubDomains: false }), {
-      "strict-transport-security": "max-age=15552000",
+      "strict-transport-security": "max-age=31536000",
     });
   });
 
   it("can enable preloading", async () => {
     await check(strictTransportSecurity({ preload: true }), {
       "strict-transport-security":
-        "max-age=15552000; includeSubDomains; preload",
+        "max-age=31536000; includeSubDomains; preload",
     });
   });
 
   it("can explicitly disable preloading", async () => {
     await check(strictTransportSecurity({ preload: false }), {
-      "strict-transport-security": "max-age=15552000; includeSubDomains",
+      "strict-transport-security": "max-age=31536000; includeSubDomains",
     });
   });