I'm trying to get Node-Red running on a network for a project. IT security at my workplace have run a security check and recommend that I enable HSTS. I'm not a network expert and have no idea how to do this.
I've enabled HTTPS in the settings.js file of node-red and to add HSTS (HTTP Strict Transport Security) I need to add this line to the header:
Strict-Transport-Security: max-age=60000.
Can I append this option to the Node-red settings.js file or would I have to set an environment variable outside of Node-red to do this? I've never had to do either before so can anyone offer some additional guidance on this please if this is the case?
At the moment there is no flag you could just set that will enable it, but you can use the httpAdminMiddleware option in settings.js to add it.
Something like the following:
httpAdminMiddleware: function(req,res,next) {
res.set('Strict-Transport-Security', 'max-age=60000');
next();
},
Just remember that once set you won't be able to disable HTTPS until 60000 seconds after the last time you access Node-RED with a given browser.