diff --git a/CHANGELOG.md b/CHANGELOG.md index 5027a08..3eead06 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ ## 8.0.0 +### Changed + +- **Breaking:** `Strict-Transport-Security` now has a max-age of 365 days, up from 180 + ### Removed - **Breaking:** Drop support for Node 16 and 17. Node 18+ is now required diff --git a/middlewares/strict-transport-security/index.ts b/middlewares/strict-transport-security/index.ts index ea242ba..fa6e773 100644 --- a/middlewares/strict-transport-security/index.ts +++ b/middlewares/strict-transport-security/index.ts @@ -1,6 +1,6 @@ import type { IncomingMessage, ServerResponse } from "http"; -const DEFAULT_MAX_AGE = 180 * 24 * 60 * 60; +const DEFAULT_MAX_AGE = 365 * 24 * 60 * 60; export interface StrictTransportSecurityOptions { maxAge?: number; diff --git a/test/index.test.ts b/test/index.test.ts index ed9738c..5604e25 100644 --- a/test/index.test.ts +++ b/test/index.test.ts @@ -35,7 +35,7 @@ describe("helmet", () => { "cross-origin-resource-policy": "same-origin", "origin-agent-cluster": "?1", "referrer-policy": "no-referrer", - "strict-transport-security": "max-age=15552000; includeSubDomains", + "strict-transport-security": "max-age=31536000; includeSubDomains", "x-content-type-options": "nosniff", "x-dns-prefetch-control": "off", "x-download-options": "noopen", diff --git a/test/strict-transport-security.test.ts b/test/strict-transport-security.test.ts index fa132e6..dc1d780 100644 --- a/test/strict-transport-security.test.ts +++ b/test/strict-transport-security.test.ts @@ -3,10 +3,10 @@ import strictTransportSecurity from "../middlewares/strict-transport-security"; describe("Strict-Transport-Security middleware", () => { it('by default, sets max-age to 180 days and adds "includeSubDomains"', async () => { - expect(15552000).toStrictEqual(180 * 24 * 60 * 60); + expect(31536000).toStrictEqual(365 * 24 * 60 * 60); const expectedHeaders = { - "strict-transport-security": "max-age=15552000; includeSubDomains", + "strict-transport-security": "max-age=31536000; includeSubDomains", }; await check(strictTransportSecurity(), expectedHeaders); @@ -45,20 +45,20 @@ describe("Strict-Transport-Security middleware", () => { it("disables subdomains with the includeSubDomains option", async () => { await check(strictTransportSecurity({ includeSubDomains: false }), { - "strict-transport-security": "max-age=15552000", + "strict-transport-security": "max-age=31536000", }); }); it("can enable preloading", async () => { await check(strictTransportSecurity({ preload: true }), { "strict-transport-security": - "max-age=15552000; includeSubDomains; preload", + "max-age=31536000; includeSubDomains; preload", }); }); it("can explicitly disable preloading", async () => { await check(strictTransportSecurity({ preload: false }), { - "strict-transport-security": "max-age=15552000; includeSubDomains", + "strict-transport-security": "max-age=31536000; includeSubDomains", }); });