Merge pull request #1365 from mozilla/add-hsts-to-heroku-1295

fix #1295 add hsts to heroku
mozilla · Nov 14, 2019 · eb5e5f8 · eb5e5f8
2 parents e56b8d4 + 9dc5581
commit eb5e5f8
Showing 1 changed file with 3 additions and 4 deletions.
diff --git a/server.js b/server.js
@@ -66,10 +66,9 @@ try {
 })();
 
 // Use helmet to set security headers
-// disable default HSTS; Ops handles it in stage & prod configs
-app.use(helmet({
-  hsts: false,
-}));
+// only enable HSTS on heroku; Ops handles it in stage & prod configs
+const hsts = AppConstants.NODE_ENV === "heroku" ? true : false;
+app.use(helmet({ hsts }));
 
 const SCRIPT_SOURCES = ["'self'", "https://www.google-analytics.com/analytics.js"];
 const STYLE_SOURCES = ["'self'", "https://code.cdn.mozilla.net/fonts/"];