send a strict-transport-security header

bin/webserver.js

@@ -28,6 +28,13 @@ db.on('error', function (err) {
 
 const app = express();
 
+app.use(function (req, res, next) {
+  const stsHeaderName = 'strict-transport-security';
+  const stsHeaderValue = 'max-age=' + config.stsMaxAge;
+  res.setHeader(stsHeaderName, stsHeaderValue);
+  next();
+});
+
 // log to console when not testing
 if (! IS_TEST) {
   app.use(morgan('combined'));

lib/config.js

@@ -21,6 +21,13 @@ const config = convict({
     }
   },
 
+  enableSTS: {
+    'default': true,
+    doc: 'Send "strict-transport-security" header.',
+    env: 'ENABLE_STS',
+    format: Boolean
+  },
+
   env: {
     'default': '',
     doc: 'Node environment.',
@@ -101,6 +108,16 @@ const config = convict({
     format: String
   },
 
+  // For initial deployment, since I don't control all the clients, I'll start
+  // with a low value. Enough to break someone temporarily and know about it,
+  // but undoable.
+  stsMaxAge: {
+    'default': '120',
+    doc: 'Strict-Transport-Security max-age value (in seconds).',
+    env: 'STS_MAX_AGE',
+    format: String
+  },
+
   webPort: {
     'default': 8080,
     doc: 'Port number for web server to listen on.',

tests/index.js

@@ -53,6 +53,20 @@ describe('loading main page content path /README', function() {
   });
 });
 
+describe('responses must return a "strict-transport-security" header, if enabled', function() {
+  const stsHeaderName = 'strict-transport-security';
+  const stsHeaderValue = 'max-age=' + config.stsMaxAge;
+  it('has STS header', function(done) {
+    http.request(requestOptions('GET', '/README'), (res) => {
+      (res.statusCode).should.equal(200);
+      if (config.enableSTS) {
+        (res.headers[stsHeaderName]).should.equal(stsHeaderValue);
+      }
+      done();
+    }).end();
+  });
+});
+
 describe('clearing email', function() {
   it('should work', function(done) {
     http.request(requestOptions('DELETE', '/mail/me@localhost'), (res) => {