HighFile-scopeJavaScript / TypeScript Plug & play

Enforce HSTS and secure cookies in Express

Use helmet to set HSTS and configure cookies with Secure, HttpOnly, and SameSite. Reject HTTP by redirecting to HTTPS.

Why this matters

TLS and secure session cookies meet SOC 2 encryption-in-transit expectations.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

app.use((req,res,next)=>next()); // no headers

Prefer

app.use(require('helmet')({ hsts: { maxAge: 31536000, includeSubDomains: true } }));
res.cookie('sid', v, { secure:true, httpOnly:true, sameSite:'lax' });

More snippets

Good

app.use(helmet())

Bad

res.cookie('sid', v)

Related rules

From the same buckets as this rule.

Critical
Encrypt sensitive data at rest with KMS and rotate keys
Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.
compliance-soc2-essentialssecrets-credentials+1
Critical
Enforce TLS 1.2+ and HSTS on all external endpoints
Public services must require TLSv1.2 or higher and set HSTS (max-age ≥ 15552000, includeSubDomains). Reject plaintext HTTP and weak ciphers; cookies must be Secure and HttpOnly with SameSite set.
compliance-soc2-essentialssecurity-hardening+1
Critical
Use a secrets manager and 90-day rotation policy
All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.
compliance-soc2-essentialssecrets-credentials+1

Why this matters

Bad vs. good

More snippets

Related rules

Encrypt sensitive data at rest with KMS and rotate keys

Enforce TLS 1.2+ and HSTS on all external endpoints

Use a secrets manager and 90-day rotation policy

Why this matters

Bad vs. good

More snippets

Related rules

Encrypt sensitive data at rest with KMS and rotate keys

Enforce TLS 1.2+ and HSTS on all external endpoints

Use a secrets manager and 90-day rotation policy