Strict Transport Security (STS) is an opt-in security enhancement that forces usage of HTTPS
instead of HTTP
(in modern browsers, anyway.)
Implementing STS is actually very simple and only takes a few lines of code. But better yet, a few different open-source modules exist that bring support for this feature to Express and Sails. To use one of these modules, install it from npm using the directions below, then open config/http.js
in your project and configure it as a custom middleware. The example(s) below cover basic usage and configuration. For more guidance and advanced usage details, be sure and follow the link to the docs.
lusca
is open-source under the Apache license
# In your sails app
npm install lusca --save
Then in the middleware
config object in config/http.js
:
// ...
// maxAge ==> Number of seconds strict transport security will stay in effect.
strictTransportSecurity: require('lusca').hsts({ maxAge: 31536000 })
// ...