aux/keyserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add HTTPS public key pinning

Browse Source
This commit is contained in:
Tankred Hase 2016-06-10 17:48:41 +02:00
parent 68fba28dd9
commit 4b183c8976
4 changed files with 21 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -219,6 +219,8 @@ npm start
The `config/development.js` file can be used to configure a local development installation. For production use, the following environment variables need to be set:
* NODE_ENV=production
* UPGRADE_HTTPS=true (upgrade HTTP to HTTPS and use [HSTS](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security))
* PUBLIC_KEY_PIN=<base64 encoded sha256> (use [HPKP](https://developer.mozilla.org/de/docs/Web/Security/Public_Key_Pinning))
* MONGO_URI=127.0.0.1:27017/test_db
* MONGO_USER=db_user
* MONGO_PASS=db_password

2
config/default.js
View File

@ -6,6 +6,8 @@ module.exports = {
server: {
port: process.env.PORT || 8888,
upgradeHTTPS: process.env.UPGRADE_HTTPS,
publicKeyPin: process.env.PUBLIC_KEY_PIN
},
mongo: {

4
config/production.js
View File

@ -5,7 +5,7 @@ module.exports = {
},
server: {
upgradeHTTP: true
},
upgradeHTTPS: process.env.UPGRADE_HTTPS || true // use HTTPS by default
}
};

25
src/app.js
View File

@ -73,9 +73,23 @@ router.get('/user/:search', function *() {
// display homepage
router.get('/', home);
// Redirect all http traffic to https
app.use(function *(next) {
if (util.isTrue(config.server.upgradeHTTPS) && util.checkHTTP(this)) {
this.redirect('https://' + this.hostname + this.url);
} else {
yield next;
}
});
// Set HTTP response headers
app.use(function *(next) {
this.set('Strict-Transport-Security', 'max-age=16070400');
if (util.isTrue(config.server.upgradeHTTPS)) {
this.set('Strict-Transport-Security', 'max-age=31536000');
}
if (config.server.publicKeyPin) {
this.set('Public-Key-Pins', 'pin-sha256="' + config.server.publicKeyPin + '"');
}
this.set('Access-Control-Allow-Origin', '*');
this.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
this.set('Access-Control-Allow-Headers', 'Content-Type');
@ -84,15 +98,6 @@ app.use(function *(next) {
yield next;
});
// Redirect all http traffic to https
app.use(function *(next) {
if (config.server.upgradeHTTP && util.checkHTTP(this)) {
this.redirect('https://' + this.hostname + this.url);
} else {
yield next;
}
});
app.use(router.routes());
app.use(router.allowedMethods());