fix(plugin-htlc-coordinator-besu): add missing HSTS header

The web-application does not define an HSTS header, leaving it vulnerable to attack. Failure to set an HSTS header and provide it with a reasonable max-age value of at least one year may leave users vulnerable to Man-in-the-Middle attacks. We have added such a header in this commit. Signed-off-by: Kris Stern <[email protected]>
hyperledger-cacti · May 4, 2024 · dff34e8 · dff34e8
1 parent 86fcc7c
commit dff34e8
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -36,6 +36,9 @@ coverage/
 !.vscode/template.launch.json
 !.vscode/extensions.json
 
+# IntelliJ files
+.idea/
+
 # Introperability App specifics
 examples/simple-asset-transfer/fabric/**/hfc-key-store/
 

diff --git a/...ugin-htlc-coordinator-besu/src/main/typescript/web-services/counterparty-htlc-endpoint.ts b/...ugin-htlc-coordinator-besu/src/main/typescript/web-services/counterparty-htlc-endpoint.ts
@@ -101,6 +101,10 @@ export class CounterpartyHTLCEndpoint implements IWebServiceEndpoint {
         );
       }) as unknown as PluginHTLCCoordinatorBesu;
       const resBody = await connector.counterpartyHTLC(request);
+      res.setHeader(
+        "Strict-Transport-Security",
+        "max-age=31536000; includeSubDomains; preload",
+      );
       res.json(resBody);
     } catch (ex) {
       this.log.error(`Crash while serving ${reqTag}`, ex);

diff --git a/...rc/test/typescript/integration/plugin-htlc-coordinator/counterparty-htlc-endpoint.test.ts b/...rc/test/typescript/integration/plugin-htlc-coordinator/counterparty-htlc-endpoint.test.ts
@@ -91,11 +91,11 @@ test(testCase, async (t: Test) => {
     ]),
     logLevel,
   });
-  keychainPlugin.set(
+  await keychainPlugin.set(
     DemoHelperJSON.contractName,
     JSON.stringify(DemoHelperJSON),
   );
-  keychainPlugin.set(
+  await keychainPlugin.set(
     HashTimeLockJSON.contractName,
     JSON.stringify(HashTimeLockJSON),
   );
@@ -253,6 +253,11 @@ test(testCase, async (t: Test) => {
 
   const response = await htlcCoordinatorBesuApiClient.ownHtlcV1(ownHTLCRequest);
   t.equal(response.status, 200, "response status is 200 OK");
+  t.equal(
+    response.headers["Strict-Transport-Security"],
+    "max-age=31536000; includeSubDomains; preload",
+    "response header is max-age=31536000; includeSubDomains; preload OK",
+  );
   t.equal(response.data.success, true, "response success is true");
   t.ok(
     response.data,
@@ -295,6 +300,11 @@ test(testCase, async (t: Test) => {
     counterpartyHTLCRequest,
   );
   t.equal(response2.status, 200, "response status is 200 OK");
+  t.equal(
+    response2.headers["Strict-Transport-Security"],
+    "max-age=31536000; includeSubDomains; preload",
+    "response header is max-age=31536000; includeSubDomains; preload OK",
+  );
   t.equal(response2.data.success, true, "response success is true");
   t.equal(response2.data.callOutput, "1", "the contract status is 1 - Active");
 });