Edit Page

HTTP Strict Transport Security

Strict Transport Security (STS) is an opt-in security enhancement that forces usage of HTTPS instead of HTTP (in modern browsers, at least).

Enabling STS

#

Implementing STS is actually very simple and only takes a few lines of code. Better yet, a few different open-source modules exist that bring support for this feature to Express and Sails. To use one of these modules, install it from npm using the directions below, then open config/http.js in your project and configure it as a custom middleware. The example below covers basic usage and configuration. For more guidance and advanced usage details, be sure and follow the link to the docs.

Using lusca
#

lusca is open-source under the Apache license

# In your sails app
npm install lusca --save

Then in the middleware config object in config/http.js:

// ...
  // maxAge ==> Number of seconds strict transport security will stay in effect.
  strictTransportSecurity: require('lusca').hsts({ maxAge: 31536000 })
  // ...

Additional Resources

#

Is something missing?

If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the sails repo. Once we merge it, the changes will be reflected on the website the next time it is deployed.

Concepts