gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
7ce85a8f0366be5e1eeca2998ef23d025ee111d3
freeCodeCamp/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.md
Tom 7ce85a8f03 fix(learn): update helmet and bcrypt instructions so we can remove them from boilerplates (#39954) 
* fix: update helmet and bcrypt lesson instructions

* fix: update instrutions I missed

* Update curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md

Co-authored-by: Shaun Hamilton <51722130+Sky020@users.noreply.github.com>

* Update curriculum/challenges/english/09-information-security/information-security-with-helmetjs/understand-bcrypt-hashes.md

Co-authored-by: Shaun Hamilton <51722130+Sky020@users.noreply.github.com>

Co-authored-by: Shaun Hamilton <51722130+Sky020@users.noreply.github.com>
2020-11-04 19:11:36 -08:00

2.4 KiB
Raw Blame History

id, title, challengeType, forumTopicId
id title challengeType forumTopicId
587d8248367417b2b2512c3c Ask Browsers to Access Your Site via HTTPS Only with helmet.hsts() 2 301573

Description

As a reminder, this project is being built upon the following starter project on Repl.it, or cloned from GitHub. HTTP Strict Transport Security (HSTS) is a web security policy which helps to protect websites against protocol downgrade attacks and cookie hijacking. If your website can be accessed via HTTPS you can ask users browsers to avoid using insecure HTTP. By setting the header Strict-Transport-Security, you tell the browsers to use HTTPS for the future requests in a specified amount of time. This will work for the requests coming after the initial request.

Instructions

Configure helmet.hsts() to use HTTPS for the next 90 days. Pass the config object {maxAge: timeInSeconds, force: true}. You can create a variable `ninetyDaysInSeconds = 90*24*60*60;` to use for the `timeInSeconds`. Repl.it already has hsts enabled. To override its settings you need to set the field "force" to true in the config object. We will intercept and restore the Repl.it header, after inspecting it for testing. Note: Configuring HTTPS on a custom website requires the acquisition of a domain, and a SSL/TSL Certificate.

Tests

tests:
  - text: helmet.hsts() middleware should be mounted correctly
    testString: getUserInput => $.get(getUserInput('url') + '/_api/app-info').then(data => { assert.include(data.appStack, 'hsts'); assert.property(data.headers, 'strict-transport-security'); }, xhr => { throw new Error(xhr.responseText); })
  - text: maxAge should be equal to 7776000 s (90 days)
    testString: getUserInput => $.get(getUserInput('url') + '/_api/app-info').then(data => { assert.match(data.headers['strict-transport-security'], /^max-age=7776000;?/); }, xhr => { throw new Error(xhr.responseText); })

Challenge Seed

Solution

/**
  Backend challenges don't need solutions, 
  because they would need to be tested against a full working project. 
  Please check our contributing guidelines to learn more.
*/