Edit Page

HTTP Strict Transport Security

Strict Transport Security (STS) is an opt-in security enhancement that forces usage of HTTPS instead of HTTP (in modern browsers, anyway.)

Enabling STS

Implementing STS is actually very simple and only takes a few lines of code. But better yet, a few different open-source modules exist that bring support for this feature to Express and Sails. To use one of these modules, install it from npm using the directions below, then open config/http.js in your project and configure it as a custom middleware. The example(s) below cover basic usage and configuration. For more guidance and advanced usage details, be sure and follow the link to the docs.

Using lusca

lusca is open-source under the Apache license

# In your sails app
npm install lusca --save

Then in the middleware config object in config/http.js:

// ...
  // maxAge ==> Number of seconds strict transport security will stay in effect.
  strictTransportSecurity: require('lusca').hsts({ maxAge: 31536000 })
  // ...

Additional Resources

HTTP Strict Transport Security (OWasp)

Is something missing?

If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the sails-docs repo. Once we merge it, the changes will be reflected on the website the next time it is deployed.

Documentation

Concepts

Built with Love

The Sails framework is maintained by a web & mobile studio in Austin, TX, with the help of our contributors. We created Sails in 2012 to assist us on Node.js projects. Naturally we open-sourced it. We hope it makes your life a little bit easier!