HTTPS, HSTS, and secure headers for auth endpoints
HTTPS requirement for auth, HSTS header, helmet.js setup, Content-Security-Policy, X-Frame-Options, secure cookie prerequisite, HSTS preload
HTTPS, HSTS, and Secure Headers
Auth over HTTP is not auth — it is credential exposure. Every auth endpoint must be HTTPS-only. The Secure cookie attribute enforces this for cookies. HSTS enforces it for the entire site.
const helmet = require('helmet');
app.use(helmet()); // Sets 11 security headers with safe defaults
// HSTS: tell browsers to only use HTTPS for this domain
// Once sent, browsers enforce this for `maxAge` seconds — cannot be easily undone
app.use(helmet.hsts({
maxAge: 31536000, // 1 year
includeSubDomains: true,
preload: true // submit to browser preload lists
}));
// Content Security Policy — restricts script sources
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
objectSrc: ["'none'"],
upgradeInsecureRequests: []
}
}));Key headers helmet sets by default: X-Frame-Options: SAMEORIGIN (prevents clickjacking), X-Content-Type-Options: nosniff (prevents MIME sniffing), Referrer-Policy: no-referrer (prevents auth token leakage in Referer headers).
HSTS is a one-way door — once a browser has seen your HSTS header, it will refuse HTTP connections to your domain for the duration of maxAge. Test on a staging domain before applying to production with a long maxAge.