const classafSleepSafe::StrictTransportGuard
sys::Obj afSleepSafe::StrictTransportGuard : afSleepSafe::Guard
Guards against protocol downgrade attacks and Cookie hijacking by setting a Strict-Transport-Security
HTTP response header that tells browsers to use HTTPS.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
See HTTP Strict Transport Security (HSTS) and RFC 6797 for details.
IoC Configuration
HSTS is disabled by default as you don't want to force your development environment into using HTTPS! To enable, contribute this class to the SleepSafeMiddleware
configuration:
@Contribute { serviceType=SleepSafeMiddleware# } Void contributeSleepSafeMiddleware(Configuration config, IocEnv iocEnv) { if (iocEnv.isProd) config[StrictTransportGuard#] = StrictTransportGuard(5day) }
- make
new make(Duration maxAge := 365day, Bool includeSubdomains := false, Bool preload := false)
Creates a
StrictTransportGuard
instance.maxAge
- How long future requests to the domain should go over HTTPS.includeSubdomains
- If subdomains should also be HTTPS.preload
- Allow this domain to be included in browsers HSTS preload list. See https://hstspreload.org/ for details.