-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable HSTS headers by default on localhost #451
Comments
Interesting idea. I believe HSTS is ignored over insecure HTTP, but maybe not if you have a local HTTPS setup. Is there a way to reliably detect that a request is being made to localhost? |
I would have to dig a bit as I have not gotten up to date on this lately, but we were discussing this in a work meeting and lots of folks have hit it so I know that even if it is ignored over plain http there are setups where some projects are setting it and effecting others. Our theory was that inclusion of
We should be able to use the host header for this. There are cases where that might not cover it but since it is tied to the domain and really the goal is to prevent accidental use of it in local dev I think it is alright to do something naive to start. |
In the short term, you might be able to solve your problem like this: app.use(
helmet({
strictTransportSecurity: app.get("env") === "development",
}),
); However, you're looking for a long term solution. I don't think we can use the if req.headers["Host"] != "localhost":
includeHstsMiddleware() ...then someone could disable the HSTS header by setting the Maybe there's another trick we can use for this? |
I don't have a specific problem. I am on a platform team and was investigating why folks keep on complaining about this issue. We searched all our repos and found many projects using
Valid issue and exactly why I opened this issue to make sure this discussion had happened since I couldn't find it in the issues history. I don't believe there is a way to address this poor UX with the default's set by this package in a way doesn't relax the security posture or require the user to configure the package. Is asking users (required or warning) to configure the package like you do in your example something you would consider? Since most folks just do If you are alright with that it seems like a change which would improve the UX, and if not maybe we could just add some documentation on this specific thing which everyone can point to when folks come complaining about this behavior? |
No one else has reported anything like this. It's possible that the culprit lies elsewhere, or it's possible that nobody has used Helmet quite like this. (If I've learned anything maintaining Helmet, it's that there are a lot of really different project setups out there.) How sure are you that this is a Helmet HSTS problem?
I think you understand the tension well. Unless there's a way to reliably detect this in code (which I suspect there isn't), documentation seems like the ideal solution. However, I don't want to document this without being sure that it's really a problem with Helmet. Do you have a reliable way to reproduce this issue? |
We made some assumptions, so not sure in the least. That said I am pretty sure I could put together a reduced test case if that would help.
Haha, yeah one of the best things about helping maintain popular OSS or doing support at a big org is learning all these wild things people do. Between
Yeah after spending a bit more time thinking about it I agree fully here. No clear feature change which doens't open other issues. Frankly my goal someday is to work out a better project init for |
A reduced test case would be super helpful.
|
So I spent a bit more time this morning looking at the 100 some apps I see using the default helmet setup, and at least 2 of them were doing something like this: app.use(helmet());
app.use((req, res) => {
res.redirect('https://' + req.hostname + req.url);
}); One had it behind a guard like Seems to me like a an addition like this might be a good resolution:
|
Added a small note to the readme in 7674c63. Thanks for opening this issue, and hope it helps! |
I searched around a bit but didn't see any previous discussion of this. Has it been discussed to check if the request is on localhost and avoid setting that by default? It is regularly problematic when that header gets set on a local dev setup, so like a good default.
The text was updated successfully, but these errors were encountered: