UNPKG

rfc7469-node

Version:

Express middleware for HTTPS public key pinning (RFC 7469)

github.com/SomeoneWeird/rfc7469-node

SomeoneWeird/rfc7469-node

47 lines (31 loc) 1.71 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# rfc7469-node Express middleware for HTTPS public key pinning (RFC 7469) # Example ```js var rfc7469 = require('rfc7469'); var app = express(); app.use(rfc7469({ includeSubdomains: true, maxAge: Date.now() + 604800000, reportURI: "http://mydomain.com/report", pins: [ "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=", "LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=" ] })); ... etc ``` # Usage ## rfc7469(options) Returns a function which can be used as middleware for express. ### Options | Name | Type | Required | Example | Default | Description | |-------------------|------------------|----------|-------------------------------|------------------|--------------------------------------------------------| | maxAge | number | ✓ | 123456 | N/A | Maximum time the browser will cache this header. | | pins | array of strings | | | [ "one", "two" ] | SHA256 fingerprint of certificate subject | | includeSubdomains | boolean | | true | N/A | Should the browser use this header for subdomains too. | | reportURI | string | | "http://mywebsite.com/report" | N/A | URL the browser will send reports to. | ## reportOnly() Makes the middleware only set the `Public-Key-Pins-Report-Only` header instead of enforcing it. # Considerations It is up to the user that this middleware is only set on connections that are served over HTTPS.