HTTP Strict Transport Security Policy (HSTS) protects your websites and applications from man-in-the-middle attacks, cookie hijacking and protocol downgrades. However, it is disabled by default in NodeJS. Here is how to enable HTTP Strict Transport Security Policy in NodeJS.
How to Enable HTTP Strict Transport Policy in NodeJS
Here are the steps to enable HSTS in NodeJS. If you have not installed NodeJS on your Linux, run the following commands to install it as per your Linux system.
Ubuntu/Debian $ sudo apt install nodejs Redhat/CentOS/Fedora $ sudo yum install nodejs
Also read : How to Enable HTTP Strict Transport Security Policy in Apache
1. Create/Open NodeJS file
If you have already created a NodeJS file then just open it. Otherwise, open terminal and run the following command to create server.js file for server-related code.
$ sudo vi server.js
Also read : How Does RewriteBase Work With Example
2. Add header
HSTS is enabled by simply adding a server response in your NodeJS file’s code. For example, if you have the following code in it.
var http = require('http');
//create a server object:
http.createServer(function (req, res) {
res.write('Hello World!'); //write a response to the client
res.end(); //end the response
}).listen(80); //the server object listens on port 80
Then add the following line before you send the server response.
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');In the above line,
- max-age – Number of seconds HSTS needs to be enforced. We have specified it as 1 year
- includeSubDomains – Include subdomains to enforce HTTPS
So your server code will look like,
var http = require('http');
//create a server object:
http.createServer(function (req, res) {
res.write('Hello World!'); //write a response to the client
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.end(); //end the response
}).listen(80); //the server object listens on port 80
You may add this to all URLs processed by NodeJS, or just specific URL routes, depending on your requirement.
Also read : Setup Rsync Between Two Servers Without Password
3. Run NodeJS Server
Run the following command to start your server
$ sudo node server.js
Also read : How to Run NodeJS on Port 80
Related posts:
Sreeram has more than 10 years of experience in web development, Python, Linux, SQL and database programming.