2024-05-06 22:51:32 +02:00
|
|
|
import https from 'https';
|
|
|
|
import middleware from './_common/middleware.js';
|
2023-07-17 00:42:22 +02:00
|
|
|
|
2024-05-06 22:51:32 +02:00
|
|
|
const hstsHandler = async (url, event, context) => {
|
2023-07-17 00:42:22 +02:00
|
|
|
const errorResponse = (message, statusCode = 500) => {
|
|
|
|
return {
|
|
|
|
statusCode: statusCode,
|
|
|
|
body: JSON.stringify({ error: message }),
|
|
|
|
};
|
|
|
|
};
|
2023-09-03 17:58:46 +02:00
|
|
|
const hstsIncompatible = (message, compatible = false, hstsHeader = null ) => {
|
|
|
|
return { message, compatible, hstsHeader };
|
2023-07-17 00:42:22 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
return new Promise((resolve, reject) => {
|
2023-08-09 23:33:36 +02:00
|
|
|
const req = https.request(url, res => {
|
2023-07-17 00:42:22 +02:00
|
|
|
const headers = res.headers;
|
|
|
|
const hstsHeader = headers['strict-transport-security'];
|
|
|
|
|
|
|
|
if (!hstsHeader) {
|
|
|
|
resolve(hstsIncompatible(`Site does not serve any HSTS headers.`));
|
|
|
|
} else {
|
|
|
|
const maxAgeMatch = hstsHeader.match(/max-age=(\d+)/);
|
|
|
|
const includesSubDomains = hstsHeader.includes('includeSubDomains');
|
|
|
|
const preload = hstsHeader.includes('preload');
|
|
|
|
|
|
|
|
if (!maxAgeMatch || parseInt(maxAgeMatch[1]) < 10886400) {
|
|
|
|
resolve(hstsIncompatible(`HSTS max-age is less than 10886400.`));
|
|
|
|
} else if (!includesSubDomains) {
|
|
|
|
resolve(hstsIncompatible(`HSTS header does not include all subdomains.`));
|
|
|
|
} else if (!preload) {
|
|
|
|
resolve(hstsIncompatible(`HSTS header does not contain the preload directive.`));
|
|
|
|
} else {
|
2023-09-03 17:58:46 +02:00
|
|
|
resolve(hstsIncompatible(`Site is compatible with the HSTS preload list!`, true, hstsHeader));
|
2023-07-17 00:42:22 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
req.on('error', (error) => {
|
|
|
|
resolve(errorResponse(`Error making request: ${error.message}`));
|
|
|
|
});
|
|
|
|
|
|
|
|
req.end();
|
|
|
|
});
|
2023-09-03 13:27:04 +02:00
|
|
|
};
|
|
|
|
|
2024-05-06 22:51:32 +02:00
|
|
|
export const handler = middleware(hstsHandler);
|
|
|
|
export default handler;
|