let hsts use settings from cdap config

add hsts settings to cdap.json add root flag
cdapio · Aug 4, 2023 · dd80900 · dd80900
1 parent 8790f91
commit dd80900
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/server/config/development/cdap.json b/server/config/development/cdap.json
@@ -16,5 +16,9 @@
   "session.secret.key": "sample-secret-key-for-encryption",
   "feature.lifecycle.management.edit.enabled": "true",
   "ui.analyticsTag": "",
-  "ui.GTM": ""
+  "ui.GTM": "",
+  "hsts.enabled": "false",
+  "hsts.max.age": 15552000,
+  "hsts.include.sub.domains": "true",
+  "hsts.preload": "true"
 }
diff --git a/server/express.js b/server/express.js
@@ -181,10 +181,13 @@ function makeApp(authAddress, cdapConfig, uiSettings) {
             reportUri: `https://csp.withgoogle.com/csp/cdap`,
           },
         },
-        hsts: {
-          includeSubDomains: true,
-          preload: true,
-        },
+        strictTransportSecurity: cdapConfig["hsts.enabled"]
+          ? {
+              maxAge: cdapConfig["hsts.max.age"],
+              includeSubDomains: cdapConfig["hsts.include.sub.domains"],
+              preload: cdapConfig["hsts.preload"],
+            }
+          : false,
         // Hub icons are cross-origin but don't supply CORS headers
         // TODO credentialless will also work but isn't supported by FF and Safari
         crossOriginEmbedderPolicy: false