UNPKG

coach-core

Version:

Core package for the Coach.

www.sitespeed.io/documentation/coach/

sitespeedio/coach-core

66 lines (64 loc) 2.27 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
'use strict'; module.exports = { id: 'strictTransportSecurityHeader', title: 'Set a strict transport header to make sure the user always use HTTPS.', description: 'The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security.', weight: 6, tags: ['headers', 'privacy'], processPage: function (page) { const offending = []; let score = 100; let advice = ''; const finalUrl = page.finalUrl; if (finalUrl.indexOf('https://') > -1) { score; page.assets.forEach(function (asset) { if (asset.url === finalUrl) { const headers = asset.headers.response; if (headers['strict-transport-security']) { score = 100; const h = headers['strict-transport-security'][0]; if (h.indexOf('includeSubDomains') === -1) { score = 90; advice = 'A strict transport header is set but miss out on setting includeSubDomains'; } if (h.indexOf('max-age=') === -1) { score = 0; advice = 'A strict transport header is set but but no max-age! The header is not set correct.'; } else { const parts = h.split(';'); if (parts[0].startsWith('max-age=')) { const time = parts[0].substring( parts[0].indexOf('=') + 1, parts[0].length ); const minSixMonth = 15768000; if (time < minSixMonth) { score -= 20; advice += 'The max age is lower than six months. Increase it to get a better score.'; } } } } else { offending.push(asset.url); } } }); } if (score === undefined) { advice = 'Set a strict transport header to make sure the user always use HTTPS.'; score = 0; } return { score: score, offending: offending, advice: advice }; } };