6

I am implementing a nodejs application using sails.js. I want my user to communicate only through https. So for doing that I need to configure my server my way so that with each response it will add a header "Strict-Transport-Security", "max-age=31536000" to tell browser to communicate with HSTS only. Now how I can modify every response header that I am going to send from sails js.I searched the documentation but did not found any help.

Travis Webb
  • 14,688
  • 7
  • 55
  • 109
Muhammad Raihan Muhaimin
  • 5,559
  • 7
  • 47
  • 68

2 Answers2

6

Policies are only applied to the controllers that you explicitly assign them to in config/policies.js.

Instead of using a policy, try adding an express middleware directly in config/express.js, (create the file if it does not already exist). This middleware is applied to ALL controllers. The format is like so:

// config/express.js
"use strict";
exports.express = {
    customMiddleware: function (app) {
        app.use(function hsts(req, res, next) {
            res.setHeader("Strict-Transport-Security", "max-age=31536000");
            next();
        });
    }
}

If you have multiple express custom middleware that you want to use, my advice is to keep each middleware function in its own file. I will provide an example, using your middleware along with an additional middleware that accepts some options.

// config/express.js
"use strict";
var hsts = require('../lib/middleware/hsts');
var staticguard = require('../lib/middleware/staticguard');
exports.express = {
    customMiddleware: function (app) {
        // ordering of middleware matters!
        app.use(hsts);
        app.use(staticguard(/^\/protected\/.*$/));
    }
}

// lib/middleware/hsts.js
"use strict";
module.exports = function hsts(req, res, next) {
    res.setHeader("Strict-Transport-Security", "max-age=31536000");
    next();
}

// lib/middleware/staticguard.js
"use strict";
module.exports = function (regex) {
    return function (req, res, next) {
        if (!regex.test(req.url)) {
            return next();
        }
        res.end('you are not allowed!');
    }
};

If you try to have multiple files export a function on the 'express.customMiddleware' namespace, I believe only the middleWare of the last file loaded will work. I haven't tried it though.

Chad
  • 2,161
  • 1
  • 19
  • 18
  • Thanks it worked. One little question, in future if I want to use exports.express = { customMiddleware: function (app) { }); } } for another config do I have to add them inside express.js or I can add them in different config file as well? – Muhammad Raihan Muhaimin Feb 05 '14 at 15:48
  • 1
    I edited my answer to include an example of using multiple middleware – Chad Feb 05 '14 at 17:38
  • 1
    You can apply a policy on every controller by editing the policies.js file in sails configuration folder like so: ` ' * ' : ['firstPolicy','secondPolicy','etc'] ` , where '*' is for global policies. [sails doc](http://sailsjs.org/documentation/concepts/policies) – Cris69 Jul 16 '15 at 15:04
0

You should be able to use Sails policies. With this you should be able to create a policy to change the headers being sent back.

// policies/hsts.js
module.exports = function hsts(req, res, next) {
  res.setHeader("Strict-Transport-Security", "max-age=31536000");
};
Charlie Key
  • 3,440
  • 1
  • 21
  • 12