fix #1295 add hsts to heroku

mozilla · Nov 14, 2019 · 9dc5581 · 9dc5581
1 parent 20a8a68
commit 9dc5581
Showing 1 changed file with 3 additions and 4 deletions.
diff --git a/server.js b/server.js
@@ -66,10 +66,9 @@ try {
 })();
 
 // Use helmet to set security headers
-// disable default HSTS; Ops handles it in stage & prod configs
-app.use(helmet({
-  hsts: false,
-}));
+// only enable HSTS on heroku; Ops handles it in stage & prod configs
+const hsts = AppConstants.NODE_ENV === "heroku" ? true : false;
+app.use(helmet({ hsts }));
 
 const SCRIPT_SOURCES = ["'self'", "https://www.google-analytics.com/analytics.js"];
 const STYLE_SOURCES = ["'self'", "https://code.cdn.mozilla.net/fonts/"];