feat: update strict transport security header to 2 years

americanexpress · Oct 30, 2023 · b6917e1 · b6917e1
1 parent ee38a2f
commit b6917e1
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 10 deletions.
diff --git a/__tests__/integration/one-app.spec.js b/__tests__/integration/one-app.spec.js
@@ -1354,7 +1354,7 @@ describe('Tests that require Docker setup', () => {
           'same-origin',
         ],
         'strict-transport-security': [
-          'max-age=15552000; includeSubDomains',
+          'max-age=63072000; includeSubDomains',
         ],
         vary: [
           'Accept-Encoding, accept-encoding',
@@ -1408,7 +1408,7 @@ describe('Tests that require Docker setup', () => {
           'same-origin',
         ],
         'strict-transport-security': [
-          'max-age=15552000; includeSubDomains',
+          'max-age=63072000; includeSubDomains',
         ],
         'x-content-type-options': [
           'nosniff',
@@ -1467,7 +1467,7 @@ describe('Tests that require Docker setup', () => {
           'same-origin',
         ],
         'strict-transport-security': [
-          'max-age=15552000; includeSubDomains',
+          'max-age=63072000; includeSubDomains',
         ],
         vary: [
           'Accept-Encoding, accept-encoding',
@@ -1525,7 +1525,7 @@ describe('Tests that require Docker setup', () => {
           'same-origin',
         ],
         'strict-transport-security': [
-          'max-age=15552000; includeSubDomains',
+          'max-age=63072000; includeSubDomains',
         ],
         vary: ['Accept-Encoding'],
         'x-content-type-options': [
@@ -1589,7 +1589,7 @@ describe('Tests that require Docker setup', () => {
           'no-referrer',
         ],
         'strict-transport-security': [
-          'max-age=15552000; includeSubDomains',
+          'max-age=63072000; includeSubDomains',
         ],
         vary: [
           'Accept-Encoding, accept-encoding',

diff --git a/__tests__/server/plugins/addSecurityHeaders.spec.js b/__tests__/server/plugins/addSecurityHeaders.spec.js
@@ -42,7 +42,7 @@ describe('addSecurityHeaders', () => {
     expect(done).toHaveBeenCalled();
     expect(reply.header).toHaveBeenCalledTimes(9);
     expect(reply.header).toHaveBeenCalledWith('vary', 'Accept-Encoding');
-    expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=15552000; includeSubDomains');
+    expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=63072000; includeSubDomains');
     expect(reply.header).toHaveBeenCalledWith('x-dns-prefetch-control', 'off');
     expect(reply.header).toHaveBeenCalledWith('x-download-options', 'noopen');
     expect(reply.header).toHaveBeenCalledWith('x-permitted-cross-domain-policies', 'none');
@@ -78,7 +78,7 @@ describe('addSecurityHeaders', () => {
     expect(done).toHaveBeenCalled();
     expect(reply.header).toHaveBeenCalledTimes(9);
     expect(reply.header).toHaveBeenCalledWith('vary', 'Accept-Encoding');
-    expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=15552000; includeSubDomains');
+    expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=63072000; includeSubDomains');
     expect(reply.header).toHaveBeenCalledWith('x-dns-prefetch-control', 'off');
     expect(reply.header).toHaveBeenCalledWith('x-download-options', 'noopen');
     expect(reply.header).toHaveBeenCalledWith('x-permitted-cross-domain-policies', 'none');
@@ -110,7 +110,7 @@ describe('addSecurityHeaders', () => {
     expect(done).toHaveBeenCalled();
     expect(reply.header).toHaveBeenCalledTimes(9);
     expect(reply.header).toHaveBeenCalledWith('vary', 'Accept-Encoding');
-    expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=15552000; includeSubDomains');
+    expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=63072000; includeSubDomains');
     expect(reply.header).toHaveBeenCalledWith('x-dns-prefetch-control', 'off');
     expect(reply.header).toHaveBeenCalledWith('x-download-options', 'noopen');
     expect(reply.header).toHaveBeenCalledWith('x-permitted-cross-domain-policies', 'none');
@@ -143,7 +143,7 @@ describe('addSecurityHeaders', () => {
     expect(done).toHaveBeenCalled();
     expect(reply.header).toHaveBeenCalledTimes(9);
     expect(reply.header).toHaveBeenCalledWith('vary', 'Accept-Encoding');
-    expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=15552000; includeSubDomains');
+    expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=63072000; includeSubDomains');
     expect(reply.header).toHaveBeenCalledWith('x-dns-prefetch-control', 'off');
     expect(reply.header).toHaveBeenCalledWith('x-download-options', 'noopen');
     expect(reply.header).toHaveBeenCalledWith('x-permitted-cross-domain-policies', 'none');

diff --git a/src/server/plugins/addSecurityHeaders.js b/src/server/plugins/addSecurityHeaders.js
@@ -27,7 +27,7 @@ const addSecurityHeaders = (fastify, opts = {}, done) => {
 
   fastify.addHook('onRequest', async (request, reply) => {
     reply.header('vary', 'Accept-Encoding');
-    reply.header('Strict-Transport-Security', 'max-age=15552000; includeSubDomains');
+    reply.header('Strict-Transport-Security', 'max-age=63072000; includeSubDomains');
     reply.header('x-dns-prefetch-control', 'off');
     reply.header('x-download-options', 'noopen');
     reply.header('x-permitted-cross-domain-policies', 'none');