DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

Avoid insecure HTTP strict transport security JS-S1002

Security
Critical
 Autofix

When using NodeJS and express, policies for HTTPS can be configured through the helmet library. The insecureSubdomains policy determines whether the website will redirect to an HTTPS version when an HTTP one is requested.

When applying strict transport policies while configuring HTTPS, it is recommended to apply the policies to all subdomains. Websites that support HTTPS will redirect to their HTTPS versions even when an HTTP version is requested by a client. These redirects are not encrypted and are therefore vulnerable to MITM attacks. The Strict-Transport-Security policy header (HSTS) set by an application instructs the web browser to convert any HTTP request to HTTPS.

Web browsers that see the Strict-Transport-Security policy header for the first time record information specified in the header:

  • The max-age directive specifies how long the policy should be kept on the web browser.
  • The includeSubDomains optional directive, which specifies if the policy should apply on all sub-domains or not.
  • The preload optional directive is not part of the HSTS specification but supported on all modern web browsers.

Bad Practice

import express from 'express';
import helmet from 'helmet';

const app = express();
app.use(helmet.hsts({ includeSubDomains: false }));

Recommended

import express from 'express';
import helmet from 'helmet';

const app = express();
app.use(helmet.hsts({ includeSubDomains: true }));