Add hpkp

helmetjs · Mar 5, 2015 · a6ee110 · a6ee110
1 parent e913076
commit a6ee110
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -40,6 +40,7 @@ Helmet is really just a collection of 9 smaller middleware functions:
 - [crossdomain](https://github.com/helmetjs/crossdomain) for serving `crossdomain.xml`
 - [contentSecurityPolicy](https://github.com/helmetjs/csp) for setting Content Security Policy
 - [hidePoweredBy](https://github.com/helmetjs/hide-powered-by) to remove the X-Powered-By header
+- [hpkp](https://github.com/helmetjs/hpkp) for HTTP Public Key Pinning
 - [hsts](https://github.com/helmetjs/hsts) for HTTP Strict Transport Security
 - [ieNoOpen](https://github.com/helmetjs/ienoopen) sets X-Download-Options for IE8+
 - [noCache](https://github.com/helmetjs/nocache) to disable client-side caching
@@ -261,6 +262,24 @@ app.use(helmet.noCache({ noEtag: true }));
 
 **Limitations:** Caching has some real benefits, and you lose them here (which is why it's disabled in the default configuration). Browsers won't cache resources with this enabled, although some performance is retained if you keep ETag support. It's also possible that you'll introduce *new* bugs and you'll wish people had old resources cached, but that's less likely.
 
+### Public Key Pinning: HPKP
+
+**Trying to prevent:** HTTPS certificates can be forged, allowing man-in-the middle attacks. [HTTP Public Key Pinning](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning) aims to help that.
+
+**How to use Helmet to mitigate this:** Pass the "Public-Key-Pins" header to better assert your SSL certificates. [See the spec](https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21) for more.
+
+```javascript
+var ninetyDaysInMilliseconds = 7776000000;
+app.use(helmet.publicKeyPins({
+  maxAge: ninetyDaysInMilliseconds,
+  sha256s: ['AbCdEf123=', 'ZyXwVu456='],
+  includeSubdomains: true,         // optional
+  reportUri: 'http://example.com'  // optional
+}));
+```
+
+**Limitations:** Don't let these get out of sync with your certs!
+
 ### A restrictive crossdomain.xml: crossdomain
 
 **Trying to prevent:** Adobe defines [the spec for crossdomain.xml](http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html), a policy file that grants some Adobe products (like Flash) read access to resources on your domain. An unrestrictive policy could let others load things off your domain that you don't want.

diff --git a/config.json b/config.json
@@ -5,6 +5,7 @@
     "helmet-crossdomain": ["crossdomain", "crossDomain"],
     "helmet-csp": ["csp", "contentSecurityPolicy"],
     "hide-powered-by": ["hidePoweredBy", "hideXPoweredBy"],
+    "hpkp": ["hpkp", "publicKeyPinning", "publicKeyPins", "hPkp", "hkpk"],
     "hsts": ["hsts"],
     "ienoopen": ["ienoopen", "ieNoOpen", "IENoOpen"],
     "nocache": ["nocache", "noCache"],

diff --git a/package.json b/package.json
@@ -33,6 +33,7 @@
     "helmet-crossdomain": "0.1.0",
     "helmet-csp": "0.2.1",
     "hide-powered-by": "0.1.0",
+    "hpkp": "0.1.0",
     "hsts": "0.1.0",
     "ienoopen": "0.1.0",
     "nocache": "0.2.0",