1.5 KiB
1.5 KiB
HTTP Public Key Pinning (HPKP) middleware
Adds Public Key Pinning headers to Express/Connect applications. To learn more about HPKP, check out the spec, the article on MDN, and this tutorial.
Usage:
var express = require('express')
var hpkp = require('hpkp')
var app = express()
var ninetyDaysInSeconds = 7776000
app.use(hpkp({
maxAge: ninetyDaysInSeconds,
sha256s: ['AbCdEf123=', 'ZyXwVu456='],
includeSubDomains: true, // optional
reportUri: 'http://example.com', // optional
reportOnly: false, // optional
// Set the header based on a condition.
// This is optional.
setIf: function (req, res) {
return req.secure
}
}))
Setting reportOnly
to true
will change the header from Public-Key-Pins
to Public-Key-Pins-Report-Only
.
Don't let these get out of sync with your certs! It's also recommended to test your HPKP deployment in reportOnly
mode, or alternatively, to use a very short maxAge
until you're confident your deployment is correct.