From 558ef2ce9085e882a7a8cad4fa4ab911c9e811e3 Mon Sep 17 00:00:00 2001 From: Sohrab Chegini Date: Sun, 28 Apr 2024 18:03:52 +0330 Subject: [PATCH] HSTS: throw when misspelling "includeSubDomains" option See [#462] and [#464]. [#462]: https://github.com/helmetjs/helmet/issues/462 [#464]: https://github.com/helmetjs/helmet/pull/464 --- CHANGELOG.md | 1 + middlewares/strict-transport-security/index.ts | 2 +- test/strict-transport-security.test.ts | 9 +++------ 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dd7d7f3..c035acd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - **Breaking:** `Strict-Transport-Security` now has a max-age of 365 days, up from 180 - **Breaking:** `Content-Security-Policy` middleware now throws an error if a directive should have quotes but does not, such as `self` instead of `'self'`. See [#454](https://github.com/helmetjs/helmet/issues/454) +- **Breaking:** `Strict-Transport-Security` now throws an error when "includeSubDomains" option is misspelled. This was previously a warning ### Removed diff --git a/middlewares/strict-transport-security/index.ts b/middlewares/strict-transport-security/index.ts index fa6e773..18c45cf 100644 --- a/middlewares/strict-transport-security/index.ts +++ b/middlewares/strict-transport-security/index.ts @@ -29,7 +29,7 @@ function getHeaderValueFromOptions( ); } if ("includeSubdomains" in options) { - console.warn( + throw new Error( 'Strict-Transport-Security middleware should use `includeSubDomains` instead of `includeSubdomains`. (The correct one has an uppercase "D".)', ); } diff --git a/test/strict-transport-security.test.ts b/test/strict-transport-security.test.ts index dc1d780..73cf33f 100644 --- a/test/strict-transport-security.test.ts +++ b/test/strict-transport-security.test.ts @@ -87,12 +87,9 @@ describe("Strict-Transport-Security middleware", () => { }); it("logs a warning when using the mis-capitalized `includeSubdomains` parameter", () => { - jest.spyOn(console, "warn").mockImplementation(() => {}); - - strictTransportSecurity({ includeSubdomains: false } as any); - - expect(console.warn).toHaveBeenCalledTimes(1); - expect(console.warn).toHaveBeenCalledWith( + expect(() => + strictTransportSecurity({ includeSubdomains: false } as any), + ).toThrow( 'Strict-Transport-Security middleware should use `includeSubDomains` instead of `includeSubdomains`. (The correct one has an uppercase "D".)', ); });