Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increase default Strict-Transport-Security maxAge to 1 year #457

Closed
webketje opened this issue Apr 24, 2024 · 3 comments
Closed

Increase default Strict-Transport-Security maxAge to 1 year #457

webketje opened this issue Apr 24, 2024 · 3 comments
Labels
good starter task
Milestone
v8.0.0

Comments

@webketje
Copy link

webketje commented Apr 24, 2024
edited
Loading

Code: https://github.com/helmetjs/helmet/blob/main/middlewares/strict-transport-security/index.ts#L3

During a pen-test on our app, the current setting of 180 days was flagged as sub-optimal.
When searching via the web, almost all authoritative websites default the max-age to 1 year as recommendation/ in their examples.

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html (recommendation)
https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/configure-http-strict-transport-security-in-exchange-server?view=exchserver-2019 (recommendation)
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security (examples)
https://hstspreload.org (validation error when < 1 year)

Note: semver-major so probably for v8
@EvanHahn EvanHahn added this to the v8.0.0 milestone Apr 25, 2024
@EvanHahn
Copy link
Member

Good idea. We should change the default to 1 year.

This probably means updating this line:

helmet/middlewares/strict-transport-security/index.ts

Line 3 in 892ed40

const DEFAULT_MAX_AGE = 180 * 24 * 60 * 60;

And then updating all the tests that fail, which I hope is easy.

@sohrb
Copy link

sohrb commented Apr 26, 2024
edited
Loading

@EvanHahn Hi
Here is the PR

@sohrb sohrb mentioned this issue Apr 26, 2024
Merged
2 tasks
EvanHahn pushed a commit that referenced this issue Apr 27, 2024
@sohrb
Strict-Transport-Security: increase max-age to 1 year
ab56635 
See [#457] and [#459].

[#457]: #457
[#459]: #459
@EvanHahn
Copy link
Member

Closed in #459. Thanks to @webketje for raising this issue and @sohrb for addressing it!

EvanHahn pushed a commit that referenced this issue Apr 27, 2024
@sohrb @EvanHahn
Strict-Transport-Security: increase max-age to 1 year
e0d451b 
See [#457] and [#459].

[#457]: #457
[#459]: #459
EvanHahn pushed a commit that referenced this issue Apr 28, 2024
@sohrb @EvanHahn
Strict-Transport-Security: increase max-age to 1 year
16bddc6 
See [#457] and [#459].

[#457]: #457
[#459]: #459
EvanHahn pushed a commit that referenced this issue May 25, 2024
@sohrb @EvanHahn
Strict-Transport-Security: increase max-age to 1 year
728b44d 
See [#457] and [#459].

[#457]: #457
[#459]: #459
EvanHahn pushed a commit that referenced this issue Jun 1, 2024
@sohrb @EvanHahn
Strict-Transport-Security: increase max-age to 1 year
9a045d3 
See [#457] and [#459].

[#457]: #457
[#459]: #459
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good starter task
Milestone
v8.0.0
Development

No branches or pull requests
3 participants
@EvanHahn @webketje @sohrb