UNPKG

request.hpkp

Version:

request.js HTTP Public Key Pinning (HPKP) drop-in support

github.com/hortopan/request.hpkp

hortopan/request.hpkp

68 lines (47 loc) 2.04 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# request.hpkp [Request.js](https://www.npmjs.com/package/request) drop-in replacement with support for https public key pinning ([HPKP](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning)). The module supports both public-key-pins and public-key-pins-report-only and implements report-uri callbacks. ## Installation ``` npm install request.hpkp --save ``` ## Usage ```javascript const request = require('request.hpkp'); request.get('https://domain.com', function(err,res,body){ //this request will fail if HPKP check fails. }); ``` ## How does it work **"public-key-pins"** header is parsed and cached (for a TTL determined by the max-age parameter in this header) on the first sucessful https request to a host. Subsequent calls to the same host are going to be checked against the cached keys. ### Key cache The module will by default save keys for a hostname in a JSON file saved within the os.tmpdir(). The storage path can be overwritten by calling Request.hpkpCache ```javascript const request = require('request.hpkp'); //set cache dir to /tmp/cacheDir (make sure the locatione exists!) request.hpkpCache('/tmp/cacheDir'); request.get('https://domain.com', function(err,res,body){ //this request will fail if HPKP check fails. }); ``` ### Alternative key cache stores You can use your own storage to cache and retrieve keys by overwritting set and get functions within the request.hpkpCache. ```javascript const request = require('request.hpkp'); request.hpkpCache({ get: function(hostname){ }, set: function(hostname, data){ } ); // the get function also needs to check data.expiresAt and delete when data is expired so that the pinned keys are refreshed as required. ``` ## What's missing + need to know * Somewhat hackish usage of request.js , need to refactor * No automatic testing so far. Need to write some tests * Report-uri doesn't send certificate only expected pins. ## Release History * 0.0.2 Fixed issue with request.js helper functions parameters * 0.0.1 Initial release