Increase Strict-transport-security time to 365 days

jxstxn1 · May 13, 2024 · d89b9b8 · d89b9b8
1 parent 9b04b64
commit d89b9b8
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 2.3.0
+
+- Set default of `strict-transport-security` to `max-age=31536000` aka 365 days. Following the recommendation of this [Issue](https://github.com/helmetjs/helmet/issues/457)
+
 ## 2.2.1
 
 - Add `As pharaoh middleware` section in README.

diff --git a/lib/src/middlewares/strict_transport_security.dart b/lib/src/middlewares/strict_transport_security.dart
@@ -7,7 +7,7 @@ import 'package:shelf/shelf.dart';
 /// it will just tell HTTPS users to stick around.
 /// You can enforce HTTPS with the [shelf-enforces-ssl](https://pub.dev/packages/shelf_enforces_ssl) package.
 ///
-/// This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next 180 days:
+/// This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next 365 days:
 ///
 /// ```dart
 /// import 'package:shelf_helmet/shelf_helmet.dart';
@@ -75,7 +75,7 @@ class StrictTransportSecurityOptions {
   final bool preload;
 
   const StrictTransportSecurityOptions({
-    this.maxAge = const Duration(days: 180),
+    this.maxAge = const Duration(days: 365),
     this.includeSubDomains = true,
     this.preload = false,
   });

diff --git a/pubspec.yaml b/pubspec.yaml
@@ -1,7 +1,7 @@
 name: shelf_helmet
 description: A port of the NodeJS helmet package to Dart. Helmet helps you secure your Dart Shelf/Frog apps by setting various HTTP headers.
-version: 2.2.1
-homepage: https://jxstxn.de
+version: 2.3.0
+homepage: https://jxstxn.dev
 repository: https://github.com/jxstxn1/shelf_helmet
 issue_tracker: https://github.com/jxstxn1/shelf_helmet/issues
 

diff --git a/test/middlewares/strict_transport_security_test.dart b/test/middlewares/strict_transport_security_test.dart
@@ -6,7 +6,7 @@ import '../utils/test_utils.dart';
 
 void main() {
   test(
-      "Should add the 'Strict-Transport-Security:max-age=15552000; includeSubDomains' Header",
+      "Should add the 'Strict-Transport-Security:max-age=31536000; includeSubDomains' Header",
       () async {
     final handler =
         const Pipeline().addMiddleware(strictTransportSecurity()).addHandler(
@@ -27,21 +27,21 @@ void main() {
       response.headers,
       containsPair(
         'strict-transport-security',
-        'max-age=15552000; includeSubDomains',
+        'max-age=31536000; includeSubDomains',
       ),
     );
     expect(response.headers, containsPair('content-type', 'application/json'));
   });
 
   test(
-      "Should add the 'Strict-Transport-Security:max-age=31536000; includeSubDomains' Header",
+      "Should add the 'Strict-Transport-Security:max-age=15552000; includeSubDomains' Header",
       () async {
     final handler = const Pipeline()
         .addMiddleware(
           strictTransportSecurity(
             options: const StrictTransportSecurityOptions(
               maxAge: Duration(
-                days: 365,
+                days: 180,
               ),
             ),
           ),
@@ -64,13 +64,13 @@ void main() {
       response.headers,
       containsPair(
         'strict-transport-security',
-        'max-age=31536000; includeSubDomains',
+        'max-age=15552000; includeSubDomains',
       ),
     );
     expect(response.headers, containsPair('content-type', 'application/json'));
   });
 
-  test("Should add the 'Strict-Transport-Security:max-age=15552000' Header",
+  test("Should add the 'Strict-Transport-Security:max-age=31536000' Header",
       () async {
     final handler = const Pipeline()
         .addMiddleware(
@@ -96,12 +96,12 @@ void main() {
     expect(response.statusCode, 200);
     expect(
       response.headers,
-      containsPair('strict-transport-security', 'max-age=15552000'),
+      containsPair('strict-transport-security', 'max-age=31536000'),
     );
     expect(response.headers, containsPair('content-type', 'application/json'));
   });
   test(
-      "Should add the 'Strict-Transport-Security:max-age=15552000; includeSubDomains; preload' Header",
+      "Should add the 'Strict-Transport-Security:max-age=31536000; includeSubDomains; preload' Header",
       () async {
     final handler = const Pipeline()
         .addMiddleware(
@@ -127,7 +127,7 @@ void main() {
       response.headers,
       containsPair(
         'strict-transport-security',
-        'max-age=15552000; includeSubDomains; preload',
+        'max-age=31536000; includeSubDomains; preload',
       ),
     );
     expect(response.headers, containsPair('content-type', 'application/json'));