From b6917e1b32fa1f5af06f3c0df391ffb3ccfc7200 Mon Sep 17 00:00:00 2001 From: Matthew Mallimo Date: Mon, 30 Oct 2023 11:57:18 -0400 Subject: [PATCH] feat: update strict transport security header to 2 years --- __tests__/integration/one-app.spec.js | 10 +++++----- __tests__/server/plugins/addSecurityHeaders.spec.js | 8 ++++---- src/server/plugins/addSecurityHeaders.js | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/__tests__/integration/one-app.spec.js b/__tests__/integration/one-app.spec.js index c007fad9..2e69a66d 100644 --- a/__tests__/integration/one-app.spec.js +++ b/__tests__/integration/one-app.spec.js @@ -1354,7 +1354,7 @@ describe('Tests that require Docker setup', () => { 'same-origin', ], 'strict-transport-security': [ - 'max-age=15552000; includeSubDomains', + 'max-age=63072000; includeSubDomains', ], vary: [ 'Accept-Encoding, accept-encoding', @@ -1408,7 +1408,7 @@ describe('Tests that require Docker setup', () => { 'same-origin', ], 'strict-transport-security': [ - 'max-age=15552000; includeSubDomains', + 'max-age=63072000; includeSubDomains', ], 'x-content-type-options': [ 'nosniff', @@ -1467,7 +1467,7 @@ describe('Tests that require Docker setup', () => { 'same-origin', ], 'strict-transport-security': [ - 'max-age=15552000; includeSubDomains', + 'max-age=63072000; includeSubDomains', ], vary: [ 'Accept-Encoding, accept-encoding', @@ -1525,7 +1525,7 @@ describe('Tests that require Docker setup', () => { 'same-origin', ], 'strict-transport-security': [ - 'max-age=15552000; includeSubDomains', + 'max-age=63072000; includeSubDomains', ], vary: ['Accept-Encoding'], 'x-content-type-options': [ @@ -1589,7 +1589,7 @@ describe('Tests that require Docker setup', () => { 'no-referrer', ], 'strict-transport-security': [ - 'max-age=15552000; includeSubDomains', + 'max-age=63072000; includeSubDomains', ], vary: [ 'Accept-Encoding, accept-encoding', diff --git a/__tests__/server/plugins/addSecurityHeaders.spec.js b/__tests__/server/plugins/addSecurityHeaders.spec.js index e99d306a..9f28016d 100644 --- a/__tests__/server/plugins/addSecurityHeaders.spec.js +++ b/__tests__/server/plugins/addSecurityHeaders.spec.js @@ -42,7 +42,7 @@ describe('addSecurityHeaders', () => { expect(done).toHaveBeenCalled(); expect(reply.header).toHaveBeenCalledTimes(9); expect(reply.header).toHaveBeenCalledWith('vary', 'Accept-Encoding'); - expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=15552000; includeSubDomains'); + expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=63072000; includeSubDomains'); expect(reply.header).toHaveBeenCalledWith('x-dns-prefetch-control', 'off'); expect(reply.header).toHaveBeenCalledWith('x-download-options', 'noopen'); expect(reply.header).toHaveBeenCalledWith('x-permitted-cross-domain-policies', 'none'); @@ -78,7 +78,7 @@ describe('addSecurityHeaders', () => { expect(done).toHaveBeenCalled(); expect(reply.header).toHaveBeenCalledTimes(9); expect(reply.header).toHaveBeenCalledWith('vary', 'Accept-Encoding'); - expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=15552000; includeSubDomains'); + expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=63072000; includeSubDomains'); expect(reply.header).toHaveBeenCalledWith('x-dns-prefetch-control', 'off'); expect(reply.header).toHaveBeenCalledWith('x-download-options', 'noopen'); expect(reply.header).toHaveBeenCalledWith('x-permitted-cross-domain-policies', 'none'); @@ -110,7 +110,7 @@ describe('addSecurityHeaders', () => { expect(done).toHaveBeenCalled(); expect(reply.header).toHaveBeenCalledTimes(9); expect(reply.header).toHaveBeenCalledWith('vary', 'Accept-Encoding'); - expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=15552000; includeSubDomains'); + expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=63072000; includeSubDomains'); expect(reply.header).toHaveBeenCalledWith('x-dns-prefetch-control', 'off'); expect(reply.header).toHaveBeenCalledWith('x-download-options', 'noopen'); expect(reply.header).toHaveBeenCalledWith('x-permitted-cross-domain-policies', 'none'); @@ -143,7 +143,7 @@ describe('addSecurityHeaders', () => { expect(done).toHaveBeenCalled(); expect(reply.header).toHaveBeenCalledTimes(9); expect(reply.header).toHaveBeenCalledWith('vary', 'Accept-Encoding'); - expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=15552000; includeSubDomains'); + expect(reply.header).toHaveBeenCalledWith('Strict-Transport-Security', 'max-age=63072000; includeSubDomains'); expect(reply.header).toHaveBeenCalledWith('x-dns-prefetch-control', 'off'); expect(reply.header).toHaveBeenCalledWith('x-download-options', 'noopen'); expect(reply.header).toHaveBeenCalledWith('x-permitted-cross-domain-policies', 'none'); diff --git a/src/server/plugins/addSecurityHeaders.js b/src/server/plugins/addSecurityHeaders.js index 1aea7ca8..518ddc3a 100644 --- a/src/server/plugins/addSecurityHeaders.js +++ b/src/server/plugins/addSecurityHeaders.js @@ -27,7 +27,7 @@ const addSecurityHeaders = (fastify, opts = {}, done) => { fastify.addHook('onRequest', async (request, reply) => { reply.header('vary', 'Accept-Encoding'); - reply.header('Strict-Transport-Security', 'max-age=15552000; includeSubDomains'); + reply.header('Strict-Transport-Security', 'max-age=63072000; includeSubDomains'); reply.header('x-dns-prefetch-control', 'off'); reply.header('x-download-options', 'noopen'); reply.header('x-permitted-cross-domain-policies', 'none');