Strict-Transport-Security: fix documentation for default max-age

EvanHahn · EvanHahn · commit 77fbe3ab9690 · 2025-02-13T12:59:51.000-10:00
This changed in Helmet v8 but I forgot to update the docs. Thanks to [@kristinademeshchik on GitHub][kristinademeshchik] for pointing this out in [#479]. [#479]: #479 [kristinademeshchik]: https://github.com/kristinademeshchik
diff --git a/README.md b/README.md
@@ -358,17 +358,17 @@ You can use this as standalone middleware with `app.use(helmet.referrerPolicy())
 Default:
 
 ```http
-Strict-Transport-Security: max-age=15552000; includeSubDomains
+Strict-Transport-Security: max-age=31536000; includeSubDomains
 ```
 
 The `Strict-Transport-Security` header tells browsers to prefer HTTPS instead of insecure HTTP. See [the documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) for more.
 
 ```js
-// Sets "Strict-Transport-Security: max-age=15552000; includeSubDomains"
+// Sets "Strict-Transport-Security: max-age=31536000; includeSubDomains"
 app.use(helmet());
 ```
 
-`maxAge` is the number of seconds browsers should remember to prefer HTTPS. If passed a non-integer, the value is rounded down. It defaults to `15552000`, which is 180 days.
+`maxAge` is the number of seconds browsers should remember to prefer HTTPS. If passed a non-integer, the value is rounded down. It defaults to 365 days.
 
 `includeSubDomains` is a boolean which dictates whether to include the `includeSubDomains` directive, which makes this policy extend to subdomains. It defaults to `true`.
 
diff --git a/middlewares/strict-transport-security/README.md b/middlewares/strict-transport-security/README.md
@@ -2,15 +2,15 @@
 
 This middleware adds the `Strict-Transport-Security` header to the response. This tells browsers, "hey, only use HTTPS for the next period of time". ([See the spec](https://tools.ietf.org/html/rfc6797) for more.) Note that the header won't tell users on HTTP to _switch_ to HTTPS, it will just tell HTTPS users to stick around. You can enforce HTTPS with the [express-enforces-ssl](https://github.com/aredo/express-enforces-ssl) module.
 
-This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next 180 days:
+This will set the Strict Transport Security header, telling browsers to visit by HTTPS for the next 365 days:
 
 ```javascript
 const strictTransportSecurity = require("hsts");
 
-// Sets "Strict-Transport-Security: max-age=15552000; includeSubDomains"
+// Sets "Strict-Transport-Security: max-age=31536000; includeSubDomains"
 app.use(
   strictTransportSecurity({
-    maxAge: 15552000, // 180 days in seconds
+    maxAge: 31536000, // 365 days in seconds
   }),
 );
 ```
@@ -22,7 +22,7 @@ The `includeSubDomains` directive is present by default. If this header is set o
 ```javascript
 app.use(
   strictTransportSecurity({
-    maxAge: 15552000,
+    maxAge: 31536000,
     includeSubDomains: false,
   }),
 );
diff --git a/test/strict-transport-security.test.ts b/test/strict-transport-security.test.ts
@@ -2,7 +2,7 @@ import { check } from "./helpers";
 import strictTransportSecurity from "../middlewares/strict-transport-security";
 
 describe("Strict-Transport-Security middleware", () => {
-  it('by default, sets max-age to 180 days and adds "includeSubDomains"', async () => {
+  it('by default, sets max-age to 365 days and adds "includeSubDomains"', async () => {
     expect(31536000).toStrictEqual(365 * 24 * 60 * 60);
 
     const expectedHeaders = {
