HTTPS Policy Middleware

Build middleware for a Koa application that enforces HTTPS security policies on different routes.

Requirements

Create a Koa application with security middleware that enforces HTTPS by instructing browsers to only use secure connections.

Default HTTPS Policy

Apply a default HTTPS enforcement policy to all routes with the following requirements:

• Browser must remember to use HTTPS for 90 days (7776000 seconds)
• Policy must apply to all subdomains
• Send the appropriate security header in responses

Route-Specific Policies

Implement different HTTPS enforcement policies for specific routes:

Admin routes (paths starting with /admin):

• Enforce HTTPS for 1 year (31536000 seconds)
• Include subdomains
• Enable preload list eligibility

Development routes (paths starting with /dev):

• Enforce HTTPS for 30 days (2592000 seconds)
• Include subdomains
• Do not enable preload

All other routes should use the default 90-day policy.

Test Cases

• Default routes return the correct HTTPS enforcement header with 90-day duration and subdomain inclusion @test
• Admin routes return the correct HTTPS enforcement header with 1-year duration, subdomain inclusion, and preload enabled @test
• Development routes return the correct HTTPS enforcement header with 30-day duration and subdomain inclusion @test

Implementation

@generates

API

import Koa from 'koa';

/**
 * Creates and configures a Koa application with HTTPS enforcement policies
 *
 * @returns Configured Koa application instance with route-specific HTTPS policies
 */
export function createApp(): Koa;

Dependencies { .dependencies }

koa { .dependency }

Provides the web application framework.

koa-helmet { .dependency }

Provides security header middleware for HTTPS enforcement.