How can we set Strict-Transport-Security in Meteor?

There doesn’t seem to be anything about Strict-Transport-Security in the official Meteor guide or browser-policy.

See HSTS - The missing link in Transport Layer Security

Same way that you add any headers to Meteor:

WebApp.connectHandlers.use(function (req, res, next) {
    res.setHeader(name, value);
    next();
});

Although in a production environment you’re usually better off putting node behind a reverse proxy and SSL terminator like nginx.

In my setup nginx is responsible for all SSL, and so is responsible for the HSTS header

4 Likes