Add on/off env var for HSTS

literalplus · literalplus · commit 1634d5c56718 · 2017-10-13T01:42:05.000+02:00
diff --git a/README.md b/README.md
@@ -154,6 +154,7 @@ Environment variables (will overwrite other server configs)
 | HMD_S3_SECRET_ACCESS_KEY | no example | AWS secret key |
 | HMD_S3_REGION | `ap-northeast-1` | AWS S3 region |
 | HMD_S3_BUCKET | no example | AWS S3 bucket name |
+| HMD_HSTS_ENABLE | ` true`  | set to enable [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) if HTTPS is also enabled (default is ` true`) |
 
 Application settings `config.json`
 ---
diff --git a/app.json b/app.json
@@ -23,7 +23,10 @@
             "description": "Specify database type. See sequelize available databases. Default using postgres",
             "value": "postgres"
         },
-
+        "HMD_HSTS_ENABLE": {
+            "description": "whether to also use HSTS if HTTPS is enabled",
+            "required": false
+        },
         "HMD_DOMAIN": {
             "description": "domain name",
             "required": false
diff --git a/lib/config/environment.js b/lib/config/environment.js
@@ -8,6 +8,9 @@ module.exports = {
   port: process.env.HMD_PORT,
   urladdport: toBooleanConfig(process.env.HMD_URL_ADDPORT),
   usessl: toBooleanConfig(process.env.HMD_USESSL),
+  hsts: {
+    enable: toBooleanConfig(process.env.HMD_HSTS_ENABLE),
+  },
   protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
   alloworigin: process.env.HMD_ALLOW_ORIGIN ? process.env.HMD_ALLOW_ORIGIN.split(',') : undefined,
   usecdn: toBooleanConfig(process.env.HMD_USECDN),
