3b056aa7b4
* replace repl.it with replit.com in the English version Replace repl.it to replit.com in the English version. Chinese and Spanish versions have the same issue. * Updated the repl.it to replit.com or Replit I changed the text from replit.com to Replit and added the changes to the files outside the curriculum folder. * Forgot removing one .com. There was on Replit.com that I missed when I reviewed the files. * Resolve conflicts I got an unable to auto merge so resolving conflicts and trying again. * try committing conflicts again * Trying the conflicts again * chore: fix typo in personal library Co-authored-by: Shaun Hamilton <51722130+ShaunSHamilton@users.noreply.github.com> Co-authored-by: gemmaf98 <44875585+gemmaf98@users.noreply.github.com> Co-authored-by: Mrugesh Mohapatra <1884376+raisedadead@users.noreply.github.com> Co-authored-by: Shaun Hamilton <51722130+ShaunSHamilton@users.noreply.github.com>
2.3 KiB
id, title, challengeType, forumTopicId, dashedName
| id | title | challengeType | forumTopicId | dashedName |
|---|---|---|---|---|
| 587d8248367417b2b2512c3c | Ask Browsers to Access Your Site via HTTPS Only with helmet.hsts() | 2 | 301573 | ask-browsers-to-access-your-site-via-https-only-with-helmet-hsts |
--description--
As a reminder, this project is being built upon the following starter project on Replit, or cloned from GitHub.
HTTP Strict Transport Security (HSTS) is a web security policy which helps to protect websites against protocol downgrade attacks and cookie hijacking. If your website can be accessed via HTTPS you can ask user’s browsers to avoid using insecure HTTP. By setting the header Strict-Transport-Security, you tell the browsers to use HTTPS for the future requests in a specified amount of time. This will work for the requests coming after the initial request.
--instructions--
Configure helmet.hsts() to use HTTPS for the next 90 days. Pass the config object {maxAge: timeInSeconds, force: true}. You can create a variable ninetyDaysInSeconds = 90*24*60*60; to use for the timeInSeconds. Replit already has hsts enabled. To override its settings you need to set the field "force" to true in the config object. We will intercept and restore the Replit header, after inspecting it for testing.
Note: Configuring HTTPS on a custom website requires the acquisition of a domain, and a SSL/TLS Certificate.
--hints--
helmet.hsts() middleware should be mounted correctly
(getUserInput) =>
$.get(getUserInput('url') + '/_api/app-info').then(
(data) => {
assert.include(data.appStack, 'hsts');
assert.property(data.headers, 'strict-transport-security');
},
(xhr) => {
throw new Error(xhr.responseText);
}
);
maxAge should be equal to 7776000 s (90 days)
(getUserInput) =>
$.get(getUserInput('url') + '/_api/app-info').then(
(data) => {
assert.match(
data.headers['strict-transport-security'],
/^max-age=7776000;?/
);
},
(xhr) => {
throw new Error(xhr.responseText);
}
);
--solutions--
/**
Backend challenges don't need solutions,
because they would need to be tested against a full working project.
Please check our contributing guidelines to learn more.
*/