Enforce ssl and hsts in prod

api/package.json

@@ -41,6 +41,7 @@
     "draftjs-to-markdown": "^0.4.2",
     "emoji-regex": "^6.1.1",
     "express": "^4.16.4",
+    "express-enforces-ssl": "^1.1.0",
     "express-session": "^1.15.2",
     "faker": "^4.1.0",
     "find-with-regex": "^1.1.3",
@@ -57,6 +58,7 @@
     "hoist-non-react-statics": "^2.5.5",
     "host-validation": "^1.2.0",
     "hpp": "^0.2.2",
+    "hsts": "^2.1.0",
     "imgix-core-js": "^1.2.0",
     "immutability-helper": "^2.8.1",
     "isomorphic-fetch": "^2.2.1",

api/yarn.lock

@@ -3744,6 +3744,11 @@ expect@^21.2.1:
     jest-message-util "^21.2.1"
     jest-regex-util "^21.2.0"
 
+express-enforces-ssl@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/express-enforces-ssl/-/express-enforces-ssl-1.1.0.tgz#cf29c6a61c5bdd802e2c7ed265a4a98e7487d1ac"
+  integrity sha1-zynGphxb3YAuLH7SZaSpjnSH0aw=
+
 express-session@^1.15.2:
   version "1.15.6"
   resolved "https://registry.yarnpkg.com/express-session/-/express-session-1.15.6.tgz#47b4160c88f42ab70fe8a508e31cbff76757ab0a"
@@ -4588,7 +4593,7 @@ hpp@^0.2.2:
     lodash "^4.7.0"
     type-is "^1.6.12"
 
-hsts@2.1.0:
+hsts@2.1.0, hsts@^2.1.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/hsts/-/hsts-2.1.0.tgz#cbd6c918a2385fee1dd5680bfb2b3a194c0121cc"
 

flow-typed/npm/express-enforces-ssl_vx.x.x.js

@@ -0,0 +1,33 @@
+// flow-typed signature: e36181803629e2d4387bbfd37640c8e6
+// flow-typed version: <<STUB>>/express-enforces-ssl_v1.1.0/flow_v0.66.0
+
+/**
+ * This is an autogenerated libdef stub for:
+ *
+ *   'express-enforces-ssl'
+ *
+ * Fill this stub out by replacing all the `any` types.
+ *
+ * Once filled out, we encourage you to share your work with the
+ * community by sending a pull request to:
+ * https://github.com/flowtype/flow-typed
+ */
+
+declare module 'express-enforces-ssl' {
+  declare module.exports: any;
+}
+
+/**
+ * We include stubs for each file inside this npm package in case you need to
+ * require those files directly. Feel free to delete any files that aren't
+ * needed.
+ */
+
+
+// Filename aliases
+declare module 'express-enforces-ssl/index' {
+  declare module.exports: $Exports<'express-enforces-ssl'>;
+}
+declare module 'express-enforces-ssl/index.js' {
+  declare module.exports: $Exports<'express-enforces-ssl'>;
+}

flow-typed/npm/hsts_vx.x.x.js

@@ -0,0 +1,33 @@
+// flow-typed signature: 9df3b65568692b49a7bd33daa52cb704
+// flow-typed version: <<STUB>>/hsts_v2.1.0/flow_v0.66.0
+
+/**
+ * This is an autogenerated libdef stub for:
+ *
+ *   'hsts'
+ *
+ * Fill this stub out by replacing all the `any` types.
+ *
+ * Once filled out, we encourage you to share your work with the
+ * community by sending a pull request to:
+ * https://github.com/flowtype/flow-typed
+ */
+
+declare module 'hsts' {
+  declare module.exports: any;
+}
+
+/**
+ * We include stubs for each file inside this npm package in case you need to
+ * require those files directly. Feel free to delete any files that aren't
+ * needed.
+ */
+
+
+// Filename aliases
+declare module 'hsts/index' {
+  declare module.exports: $Exports<'hsts'>;
+}
+declare module 'hsts/index.js' {
+  declare module.exports: $Exports<'hsts'>;
+}

package.json

@@ -98,6 +98,7 @@
     "eslint-plugin-standard": "^3.1.0",
     "expo-server-sdk": "^2.4.0",
     "express": "^4.16.4",
+    "express-enforces-ssl": "^1.1.0",
     "express-session": "^1.15.2",
     "faker": "^4.1.0",
     "find-with-regex": "^1.0.2",
@@ -115,6 +116,7 @@
     "hoist-non-react-statics": "^2.3.1",
     "host-validation": "^1.1.0",
     "hpp": "^0.2.2",
+    "hsts": "^2.1.0",
     "idx": "^2.4.0",
     "imgix-core-js": "^1.0.6",
     "ioredis": "3.2.2",

shared/middlewares/security.js

@@ -2,6 +2,9 @@
 const hpp = require('hpp');
 const helmet = require('helmet');
 const uuid = require('uuid');
+const hsts = require('hsts');
+const express_enforces_ssl = require('express-enforces-ssl');
+const IS_PROD = process.env.NODE_ENV === 'production' && !process.env.FORCE_DEV;
 
 function securityMiddleware(
   server: express$Application,
@@ -13,6 +16,22 @@ function securityMiddleware(
   // Prevent HTTP Parameter pollution.
   server.use(hpp());
 
+  if (IS_PROD) {
+    server.use(
+      hsts({
+        // 5 mins in seconds
+        // we will scale this up incrementally to ensure we dont break the
+        // app for end users
+        // see deployment recommendations here https://hstspreload.org/?domain=spectrum.chat
+        maxAge: 300,
+        includeSubDomains: true,
+        preload: true,
+      })
+    );
+
+    server.use(express_enforces_ssl());
+  }
+
   // The xssFilter middleware sets the X-XSS-Protection header to prevent
   // reflected XSS attacks.
   // @see https://helmetjs.github.io/docs/xss-filter/

yarn.lock

@@ -5405,6 +5405,11 @@ expo-server-sdk@^2.4.0:
     node-fetch "^2.1.2"
     promise-limit "^2.6.0"
 
+express-enforces-ssl@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/express-enforces-ssl/-/express-enforces-ssl-1.1.0.tgz#cf29c6a61c5bdd802e2c7ed265a4a98e7487d1ac"
+  integrity sha1-zynGphxb3YAuLH7SZaSpjnSH0aw=
+
 express-session@^1.15.2:
   version "1.15.6"
   resolved "https://registry.yarnpkg.com/express-session/-/express-session-1.15.6.tgz#47b4160c88f42ab70fe8a508e31cbff76757ab0a"
@@ -6476,7 +6481,7 @@ hpp@^0.2.2:
     lodash "^4.7.0"
     type-is "^1.6.12"
 
-hsts@2.1.0:
+hsts@2.1.0, hsts@^2.1.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/hsts/-/hsts-2.1.0.tgz#cbd6c918a2385fee1dd5680bfb2b3a194c0121cc"