Progressive HSTS Deployment Strategy

1 min read Web Security Fundamentals

Progressive HSTS Deployment Strategy

Implementing HSTS requires careful planning to avoid locking out users:

Phase 1: Short Duration Testing

// Start with 5 minutes
app.use((req, res, next) => {
    if (req.secure) {
        res.setHeader('Strict-Transport-Security', 'max-age=300');
    }
    next();
});

Phase 2: Gradual Increase

const hstsPhases = {
    testing: 300,        // 5 minutes
    pilot: 86400,        // 1 day
    rollout: 604800,     // 1 week
    standard: 15768000,  // 6 months
    full: 31536000      // 1 year
};

const currentPhase = process.env.HSTS_PHASE || 'testing';

app.use((req, res, next) => {
    if (req.secure) {
        const maxAge = hstsPhases[currentPhase];
        res.setHeader('Strict-Transport-Security', `max-age=${maxAge}`);
    }
    next();
});

Phase 3: Subdomain Inclusion

app.use((req, res, next) => {
    if (req.secure) {
        const hstsValue = process.env.INCLUDE_SUBDOMAINS === 'true'
            ? 'max-age=31536000; includeSubDomains'
            : 'max-age=31536000';
        res.setHeader('Strict-Transport-Security', hstsValue);
    }
    next();
});