HSTS: throw when misspelling "includeSubDomains" option

See [#462] and [#464]. [#462]: #462 [#464]: #464
helmetjs · Sep 28, 2024 · 558ef2c · 558ef2c
1 parent 73e7595
commit 558ef2c
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 - **Breaking:** `Strict-Transport-Security` now has a max-age of 365 days, up from 180
 - **Breaking:** `Content-Security-Policy` middleware now throws an error if a directive should have quotes but does not, such as `self` instead of `'self'`. See [#454](https://github.com/helmetjs/helmet/issues/454)
+- **Breaking:** `Strict-Transport-Security` now throws an error when "includeSubDomains" option is misspelled. This was previously a warning
 
 ### Removed
 

diff --git a/middlewares/strict-transport-security/index.ts b/middlewares/strict-transport-security/index.ts
@@ -29,7 +29,7 @@ function getHeaderValueFromOptions(
     );
   }
   if ("includeSubdomains" in options) {
-    console.warn(
+    throw new Error(
       'Strict-Transport-Security middleware should use `includeSubDomains` instead of `includeSubdomains`. (The correct one has an uppercase "D".)',
     );
   }

diff --git a/test/strict-transport-security.test.ts b/test/strict-transport-security.test.ts
@@ -87,12 +87,9 @@ describe("Strict-Transport-Security middleware", () => {
   });
 
   it("logs a warning when using the mis-capitalized `includeSubdomains` parameter", () => {
-    jest.spyOn(console, "warn").mockImplementation(() => {});
-
-    strictTransportSecurity({ includeSubdomains: false } as any);
-
-    expect(console.warn).toHaveBeenCalledTimes(1);
-    expect(console.warn).toHaveBeenCalledWith(
+    expect(() =>
+      strictTransportSecurity({ includeSubdomains: false } as any),
+    ).toThrow(
       'Strict-Transport-Security middleware should use `includeSubDomains` instead of `includeSubdomains`. (The correct one has an uppercase "D".)',
     );
   });