-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Increase default Strict-Transport-Security maxAge to 1 year #457
Labels
Milestone
Comments
Good idea. We should change the default to 1 year. This probably means updating this line:
And then updating all the tests that fail, which I hope is easy. |
2 tasks
EvanHahn
pushed a commit
that referenced
this issue
Apr 27, 2024
EvanHahn
pushed a commit
that referenced
this issue
Apr 27, 2024
EvanHahn
pushed a commit
that referenced
this issue
Apr 28, 2024
EvanHahn
pushed a commit
that referenced
this issue
May 25, 2024
EvanHahn
pushed a commit
that referenced
this issue
Jun 1, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Code: https://github.com/helmetjs/helmet/blob/main/middlewares/strict-transport-security/index.ts#L3
During a pen-test on our app, the current setting of 180 days was flagged as sub-optimal.
When searching via the web, almost all authoritative websites default the max-age to 1 year as recommendation/ in their examples.
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html (recommendation)
https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/configure-http-strict-transport-security-in-exchange-server?view=exchserver-2019 (recommendation)
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security (examples)
https://hstspreload.org (validation error when < 1 year)
Note: semver-major so probably for v8
The text was updated successfully, but these errors were encountered: