Reputation: 127
HSTS (HTTP Strict Transport Security) on Node-red
I'm trying to get Node-Red running on a network for a project. IT security at my workplace have run a security check and recommend that I enable HSTS. I'm not a network expert and have no idea how to do this.
I've enabled HTTPS in the settings.js file of node-red and to add HSTS (HTTP Strict Transport Security) I need to add this line to the header:
Strict-Transport-Security: max-age=60000.
Can I append this option to the Node-red settings.js file or would I have to set an environment variable outside of Node-red to do this? I've never had to do either before so can anyone offer some additional guidance on this please if this is the case?
Upvotes: 0
Views: 924
Answers (1)
Reputation: 59608
At the moment there is no flag you could just set that will enable it, but you can use the httpAdminMiddleware option in settings.js to add it.
Something like the following:
httpAdminMiddleware: function(req,res,next) {
res.set('Strict-Transport-Security', 'max-age=60000');
next();
},
Just remember that once set you won't be able to disable HTTPS until 60000 seconds after the last time you access Node-RED with a given browser.
Upvotes: 1
Related Questions
- Checkmarx scan - how to fix Missing_HSTS_Header warning?
- HSTS preload Meaning
- How to secure Node-RED http in nodes
- hsts deprecated The "includeSubdomain" paramter is deprecated
- How to make clients request over HTTPS without HSTS preload?
- HTTPS request in NodeJS
- How to prevent HSTS?
- HSTS: Should I force user to use HTTPS on load balance or web server?
- How to enable HSTS with node-http-proxy?
- Enabling HSTS without forcibly redirecting to HTTPS?