hof 23.0.0-frontend-v4-beta.14 → 23.0.0-vite-sourcemap-beta

package/CHANGELOG.md

@@ -1,4 +1,15 @@
-## 2025-10-25, Version 23.0.0 (Stable), @Rhodine-orleans-lindsay
+## 2025-12-16, Version 23.0.0 (Stable), @PaolaDMadd-Pro @Rhodine-orleans-lindsay
+### Changed
+- Replaced Browserify with Vite
+  - removed browserify dependencies including in tests
+  - added vite configuration and related tests
+- Updated readme.md
+- Potential **breaking changes**:
+  - Node version required for Vite is `20.19.0 || >=22.12.0`
+  - Updated engine requirements to use node to `>=20.19.0`
+  - Vite uses Rollup in production and requires optional rollup dependencies to be loaded. Setting `--ignore-optional flag`  in Dockerfiles will result in "Module not found" errors in CI/CD or Docker.
+
+## 2025-12-09, Version 22.13.0 (Stable), @Rhodine-orleans-lindsay
 ### Changed
 - Updated cookie banner view to follow GOV.UK design system. Updated cookieSettings.js to allow for different confirmation text based on whether cookies were accepted or rejected
 - Added inputmode='numeric' to date component
@@ -10,7 +21,39 @@
 - Added a modifier for phone text input styles that accept sequences of digits
 - Added govuk-template--rebranded class to govuk template html to enable govuk rebrand styles:
   - Updated header and footer to follow GOV.UK design system as part of rebrand
-  * ⛓️‍💥 **BREAKING CHANGE** : files and folders in a project's `assets` folder will need to be moved to a `assets/rebrand` folder. Add a `rebrand` folder to the `assets` folder. e.g. `assets/images` will need to be moved to `assets/rebrand/images`. 
+
+## 2025-11-20, Version 22.12.0 (Stable), @dk4g @jamiecarterHO
+
+### Infrastructure  
+- Updated CI/CD pipeline to test against Node.js 20.x, 22.x, and 24.x
+- Updated Redis testing versions to 7 and 8
+- Added `NODE_VERSION` environment variable for consistent Node.js version across jobs
+- Updated release process to use Node.js 24 for tagging and publishing operations
+
+### Security
+  - Replaced deprecated `crypto.createCipher`/`crypto.createDecipher` with `crypto.createCipheriv`/`crypto.createDecipheriv`
+  - Added proper initialisation vector (IV) handling for enhanced security
+  - Enforced 32-byte session secret requirement for AES-256 encryption compatibility
+  - Removed insecure default session secret ('changethis') - now requires explicit configuration
+
+### Migration Notes
+- **Session Reset Required**: Due to enhanced encryption security, existing user sessions will be invalidated and users will need to re-authenticate after this update
+- **Session Secret**: You must now set a unique `SESSION_SECRET` environment variable of exactly 32 bytes for encryption compatibility. 
+For testing purposes, you can use the following command to generate a random value. For production environments, consult a security expert or refer to official cryptographic guidelines to generate a secure secret
+`node -e "console.log(require('crypto').randomBytes(16).toString('hex'))"`
+
+## 2025-11-15, Version 22.11.0 (Stable), @Rhodine-orleans-lindsay
+
+### Changed
+- Updated custom session-timeout handling so that custom behaviours are not blocked by a `404` middleware error.
+
+### Added
+- Added a `CUSTOM_SESSION_EXPIRY` environment variable so that a time other than the redis session ttl can be used for the session timeout. **IMPORTANT**: The `CUSTOM_SESSION_EXPIRY` variable must always be a time before the redis session ttl would expire so that behaviours can run before the `SESSION_TIMEOUT` middleware is triggered.
+- Added a `USE_CUSTOM_SESSION_TIMEOUT` that is `false` by default. When set to `true` the '/session-timeout' page can run before the session expires without triggering a `404` middleware error.
+
+   - 🎬 Action:
+      - For custom session timeout handling that is not linked to the redis session ttl, The following variables must be set: `CUSTOM_SESSION_EXPIRY` to the relevant expiry time e.g.600 and `USE_CUSTOM_SESSION_TIMEOUT` to true.
+      - If a behaviour is required on the '/session-timeout` step, the '/session-timeout' step must be set in the project's index.js, along with any relevant behaviours.
 
 ## 2025-10-10, Version 22.10.4 (Stable), @dk4g
 ### Security

package/README.md

@@ -60,7 +60,7 @@ It is recommended to alias `hof-build` to an npm script in your package.json.
 
 ## Tasks
 
-- `browserify` - compiles client-side js with browserify
+- `vite` - compiles client-side js with vite in development and rollup in production. Requires node version `^20.19.0 || >=22.12.0`.
 - `sass` - compiles sass
 - `images` - copies images from ./assets/images directory to ./public/images
 - `translate` - compiles translation files
@@ -69,21 +69,18 @@ Note: For SASS compilation it's possible to additionally configure the following
 - `outputStyle` - Controls whether the CSS output is compressed or not, expanded (default) = non compressed and compressed = compressed CSS output.
 - `quietDeps` - This controls whether you get deprecation warning shown in the console output, if set to false (default) SASS deprecation warnings will be shown in the console, if set to true then deprecation warnings will not be shown in the console output.
 - `sourceMaps` - This controls whether the build will output css sourcemaps to help with debugging. These will be output to the same directory as the css output as a .map file. This option is not currently available in production.
-
-For JavaScript compilation, browserify can be set to debug mode by setting the `debug` option to true. This will cause browserify to output JavaScript sourcemaps as a .js.map file to the same directory as the js bundle.
-
-Debugging example (in hof.settings or your build config)
+For JavaScript compilation, Vite outputs JavaScript sourcemaps as a .js.map file to the same directory as the js bundle.
+You can change sourcemaps' default settings in hof.settings or your build config as follows:
 ```
   "build": {
     "sass": {
       "sourceMaps": true
     },
-    "browserify": {
-      "debug": true
-    }
+     "js": {
+      "sourceMaps": true
+    },
   }
 ```
-
 ## Watch
 
 You can additionally run a `watch` task to start a server instance, which will automatically restart based on changes to files. This will also re-perform the tasks above when relevant files change.
@@ -109,7 +106,7 @@ hof-build watch --env .envdev
 
 ## Configuration
 
-The default settings will match those for an app generated using [`hof-generator`](https://npmjs.com/hof-generator).
+The default settings will match those for an app generated using [`hof-generator`](https://npmjs.com/hof-generator) (⚠️ This package has been deprecated).
 
 If a `hof.settings.json` file is found in the application root, then the `build` section of the settings file will be used to override [the default configuration](./defaults.js).
 
@@ -119,17 +116,9 @@ Alternatively you can define a path to a local config file by passing a `--confi
 hof-build --config /path/to/my/config.js
 ```
 
-Any task can be disabled by setting its configuration to `false` (or any falsy value).
-
-```js
-module.exports = {
-  browserify: false,
-};
-```
-
 ### Configuration options
 
-Each task has a common configuration format with the following options:
+Each task (except Vite) has a common configuration format with the following options:
 
 - `src` - defines the input file or files for the build task
 - `out` - defines the output location of the built code where relevant
@@ -867,7 +856,7 @@ Kubernetes healthcheck URLs are provided as defaults if no overrides are supplie
 |----------|-------------|---------|---------|
 | `SHOW_COOKIES_BANNER` | Controls whether the cookies banner is displayed | Auto-detected based on GA tags | `true`, `false` |
 
-**Behavior:**
+**Behaviour:**
 - If `SHOW_COOKIES_BANNER` is explicitly set, that value is used
 - If not set, banner is automatically shown when `GA_TAG` or `GA_4_TAG` is present
 - If no GA tags are configured, banner is hidden by default
@@ -1328,7 +1317,11 @@ This feature allows you to customise the content related to the session timeout
 
 ### Usage
 
-To enable and customise the session timeout behavior, you need to set the component and translations in your project's `hof.settings.json` file:
+By default, the session timeout is set to the redis session ttl. To bypass this and display the session timeout message before the redis session ttl the following evironment variables must be set:
+`CUSTOM_SESSION_EXPIRY` - e.g. `600`. Configure to expire before thte project's redis session ttl.
+`USE_CUSTOM_SESSION_TIMEOUT` -  `false` by default. When set to `true` the '/session-timeout' page can run before the session expires without triggering a `404` middleware error.
+
+To enable and customise the session timeout behaviour, you need to set the component and translations in your project's `hof.settings.json` file:
 ```json
  "behaviours": [
     "hof/components/session-timeout-warning"
@@ -1348,6 +1341,20 @@ By default, the framework uses the standard content provided by HOF. If you wish
   "saveExitFormContent": true // allows you to customise the content on the save-and-exit page
 ```
 
+To override the default session-timeout page completely, the path to the session-timeout.html should be set in the views property in the hof.settings.json file e.g. 
+```json
+ "behaviours": [
+    "hof/components/session-timeout-warning"
+  ],
+  "translations": "./apps/common/translations",
+   "views": ["./apps/common/views"], // allows you to overide the HOF default session-timeout page and use a custom one from the specified views
+   ...
+```
+or in the project's `server.js` e.g.
+```js
+settings.views = path.resolve(__dirname, './apps/common/views');
+```
+
 ### Customising content in `pages.json`
 Once the variables are set, you can customise the session timeout warning and exit messages in your project's pages.json:
 

package/build/tasks/images/index.js

@@ -4,7 +4,6 @@
 const fs = require('fs');
 const chalk = require('chalk');
 const spawn = require('../../lib/spawn');
-const mkdir = require('../../lib/mkdir');
 
 module.exports = config => {
   if (!config.images) {
@@ -28,11 +27,11 @@ module.exports = config => {
       console.log(`${chalk.yellow('warning')}: Skipping missing images folder: ${src}`);
       return Promise.resolve();
     }
-    return mkdir(imagesOutput)
-      .then(() => spawn('cp', ['-r', `${src}/.`, imagesOutput]));
+    return spawn('cp', ['-r', `${src}/.`, imagesOutput]);
   }))
     .catch(e => {
       if (e.code !== 'ENOENT') {
+        console.error(`${chalk.red('error')}: Failed to copy images - ${e.message}`);
         throw e;
       } else {
         console.log(`${chalk.yellow('warning')}: no images directory found at ${config.images.src}`);

package/build/tasks/index.js

@@ -1,7 +1,7 @@
 'use strict';
 
 module.exports = {
-  browserify: require('./browserify'),
+  vite: require('./vite'),
   sass: require('./sass'),
   translate: require('./translate'),
   images: require('./images')

package/build/tasks/vite/index.js

@@ -0,0 +1,21 @@
+'use strict';
+
+const vite = require('vite');
+const path = require('path');
+const viteConfig = path.resolve(__dirname, './vite.config.js');
+const hofDefaults = require('../../../config/hof-defaults');
+
+module.exports = config => {
+  process.env.NODE_ENV = hofDefaults.env;
+
+  if(!config.production) {
+    return vite.build({
+      configFile: viteConfig,
+      mode: 'development'
+    });
+  }
+  return vite.build({
+    configFile: viteConfig
+  });
+};
+module.exports.task = 'vite';

package/build/tasks/vite/vite.config.js

@@ -0,0 +1,82 @@
+/* eslint-disable no-console */
+'use strict';
+
+import { defineConfig } from 'vite';
+import { resolve } from 'path';
+import fs from 'fs';
+import { nodeResolve } from '@rollup/plugin-node-resolve';
+import commonjs from '@rollup/plugin-commonjs';
+import config from '../../../config/builder-defaults';
+
+const publicDirectory = resolve(process.cwd(), 'public');
+const entryFile = (() => {
+  const src = resolve(process.cwd(), 'assets/js/index.js');
+  if (fs.existsSync(src)) return src;
+
+  throw new Error(`vite: entry file not found. Checked: ${src}`);
+})();
+
+
+export default defineConfig({
+  plugins: [
+    commonjs({
+      include: [/node_modules/, /assets\/js/, /frontend/]
+    }),
+    nodeResolve({ browser: true, preferBuiltins: false }),
+    // Intercept all console warnings printed during build
+    // Custom plugin to suppress specific resolve warnings.
+    // Vite does not process and optimise static images and assets files, it uses a src/ folder.
+    // the images and assets folders are therefore loaded at runtime from the public/ folder.
+    // This should be resolved with the v5/nunjucks work so we can ignore these warnings for now.
+    // TODO: Remove this when v5/nunjucks is implemented.
+    {
+      name: 'suppress-resolve-warnings',
+      apply: 'build',
+      configResolved() {
+        const originalWarning = console.warn;
+        console.warn = (...args) => {
+          if (
+            args.some(arg =>
+              typeof arg === 'string' &&
+              arg.includes("didn't resolve at build time")
+            )
+          ) {
+            return; // skip this specific warning
+          }
+          originalWarning(...args);
+        };
+      }
+    }
+  ],
+  base: '/assets/',
+  publicDir: 'static', // static files copied as-is
+  build: {
+    outDir: publicDirectory,
+    emptyOutDir: false,
+    sourcemap: config.js.sourceMaps, // Enable JS/TS sourcemaps in dev
+    rollupOptions: {
+      input: {
+        index: entryFile
+      },
+      output: {
+        entryFileNames: 'js/bundle.js',
+        chunkFileNames: 'js/[name]-[hash].js',
+        assetFileNames: assetInfo => {
+          const ext = assetInfo.name && assetInfo.name.split('.').pop();
+          if (/css/i.test(ext)) return 'css/[name]-[hash][extname]';
+          if (/svg|png|jpg|jpeg|gif|webp|ico/i.test(ext)) return 'images/[name]-[hash][extname]';
+          return 'assets/[name]-[hash][extname]';
+        },
+        format: 'iife'
+      }
+    },
+    css: {
+      // devSourcemap: isDev,
+      preprocessorOptions: {
+        scss: {
+          includes: ['node_modules']
+        }
+      }
+    }
+  }
+});

package/components/emailer/emailer.js

@@ -34,17 +34,17 @@ module.exports = class Emailer {
         html: body,
         attachments: [{
           filename: 'govuk_logotype_email.png',
-          path: path.resolve(__dirname, './assets/rebrand/images/govuk_logotype_email.png'),
+          path: path.resolve(__dirname, './assets/images/govuk_logotype_email.png'),
           cid: 'govuk_logotype_email'
         },
         {
           filename: 'ho_crest_27px.png',
-          path: path.resolve(__dirname, './assets/rebrand/images/ho_crest_27px.png'),
+          path: path.resolve(__dirname, './assets/images/ho_crest_27px.png'),
           cid: 'ho_crest_27px'
         },
         {
           filename: 'spacer.gif',
-          path: path.resolve(__dirname, './assets/rebrand/images/spacer.gif'),
+          path: path.resolve(__dirname, './assets/images/spacer.gif'),
           cid: 'spacer_image'
         }]
       }, (err, result) => err ? reject(err) : resolve(result));

package/config/builder-defaults.js

@@ -5,32 +5,27 @@ const toolkitImages =
     : 'node_modules/hof/frontend/toolkit/assets/rebrand/images';
 
 module.exports = {
-  browserify: {
-    src: 'assets/rebrand/js/index.js',
-    out: 'public/js/bundle.js',
-    match: 'assets/rebrand/js/**/*.js',
-    restart: false,
-    compress: false,
-    debug: false
-  },
   sass: {
-    src: 'assets/rebrand/scss/app.scss',
+    src: 'assets/scss/app.scss',
     out: 'public/css/app.css',
-    match: 'assets/rebrand/scss/**/*.scss',
+    match: 'assets/scss/**/*.scss',
     restart: false,
     quietDeps: false,
     outputStyle: 'expanded',
     sourceMaps: false
   },
+  js: {
+    sourceMaps: false
+  },
   translate: {
     src: 'apps/**/translations/src',
     match: 'apps/**/translations/src/**/*.json',
     shared: 'apps/common/translations/src'
   },
   images: {
-    src: ['assets/rebrand/images', toolkitImages],
+    src: ['assets/rebrand/images', 'assets/images', toolkitImages],
     out: 'public/images',
-    match: ['assets/rebrand/images/**/*', `${toolkitImages}/**/*`],
+    match: 'assets/images/**/*',
     restart: false
   },
   server: {

package/config/hof-defaults.js

@@ -51,7 +51,7 @@ const defaults = {
   },
   session: {
     ttl: process.env.SESSION_TTL || 1800,
-    secret: process.env.SESSION_SECRET || 'changethis',
+    secret: process.env.SESSION_SECRET,
     name: process.env.SESSION_NAME || 'hod.sid',
     sanitiseInputs: false
   },
@@ -59,6 +59,7 @@ const defaults = {
     pdfConverter: process.env.PDF_CONVERTER_URL
   },
   serveStatic: process.env.SERVE_STATIC_FILES !== 'false',
+  useCustomSessionTimeout: parseBoolean(process.env.USE_CUSTOM_SESSION_TIMEOUT, false, 'USE_CUSTOM_SESSION_TIMEOUT'),
   sessionTimeOutWarning: process.env.SESSION_TIMEOUT_WARNING || 300,
   serviceUnavailable: parseBoolean(process.env.SERVICE_UNAVAILABLE, false, 'SERVICE_UNAVAILABLE')
 };

package/frontend/govuk-template/build/config.js

@@ -4,6 +4,7 @@ module.exports = {
   htmlLang: '{{htmlLang}}',
   assetPath: '{{govukAssetPath}}',
   assetRebrandPath: '{{govukAssetPath}}rebrand/',
+  themeColour: '#1d70b8',
   afterHeader: '{{$afterHeader}}{{/afterHeader}}',
   bodyClasses: '{{$bodyClasses}}{{/bodyClasses}}',
   bodyStart: '{{$bodyStart}}{{/bodyStart}}',

package/frontend/govuk-template/build/govuk_template.html

@@ -6,15 +6,15 @@
     <meta charset="utf-8" />
     <title>{{ pageTitle }}</title>
     {{{ head }}}
-
-<meta name="theme-color" content="#1d70b8">
-<meta http-equiv="X-UA-Compatible" content="IE=edge">
-<link rel="icon" sizes="48x48" href="{{assetRebrandPath}}images/favicon.ico">
-<link rel="icon" sizes="any" href="{{assetRebrandPath}}images/favicon.svg" type="image/svg+xml">
-<link rel="mask-icon" href="{{assetRebrandPath}}images/govuk-icon-mask.svg" color="#1d70b8">
-<link rel="apple-touch-icon" href="{{assetRebrandPath}}images/govuk-icon-180.png">
-<link rel="manifest" href="{{assetRebrandPath}}manifest.json">
-<meta property="og:image" content="{{assetRebrandPath}}images/govuk-opengraph-image.png">
+    <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
+    <meta name="theme-color" content="{{themeColour}}">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <link rel="icon" sizes="48x48" href="{{assetRebrandPath}}images/favicon.ico">
+    <link rel="icon" sizes="any" href="{{assetRebrandPath}}images/favicon.svg" type="image/svg+xml">
+    <link rel="mask-icon" href="{{assetRebrandPath}}images/govuk-icon-mask.svg" color="{{themeColour}}">
+    <link rel="apple-touch-icon" href="{{assetRebrandPath}}images/govuk-icon-180.png">
+    <link rel="manifest" href="{{assetRebrandPath}}manifest.json">
+    <meta property="og:image" content="{{assetRebrandPath}}images/govuk-opengraph-image.png">
   </head>
 
   <body class="{{ bodyClasses }} govuk-template__body  js-enabled" >

package/frontend/govuk-template/govuk_template_generated.html

@@ -6,15 +6,15 @@
     <meta charset="utf-8" />
     <title>{{$pageTitle}}{{/pageTitle}}</title>
     {{$head}}{{/head}}
-
-<meta name="theme-color" content="#1d70b8">
-<meta http-equiv="X-UA-Compatible" content="IE=edge">
-<link rel="icon" sizes="48x48" href="{{govukAssetPath}}rebrand/images/favicon.ico">
-<link rel="icon" sizes="any" href="{{govukAssetPath}}rebrand/images/favicon.svg" type="image/svg+xml">
-<link rel="mask-icon" href="{{govukAssetPath}}rebrand/images/govuk-icon-mask.svg" color="#1d70b8">
-<link rel="apple-touch-icon" href="{{govukAssetPath}}rebrand/images/govuk-icon-180.png">
-<link rel="manifest" href="{{govukAssetPath}}rebrand/manifest.json">
-<meta property="og:image" content="{{govukAssetPath}}rebrand/images/govuk-opengraph-image.png">
+    <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
+    <meta name="theme-color" content="#1d70b8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <link rel="icon" sizes="48x48" href="{{govukAssetPath}}rebrand/images/favicon.ico">
+    <link rel="icon" sizes="any" href="{{govukAssetPath}}rebrand/images/favicon.svg" type="image/svg+xml">
+    <link rel="mask-icon" href="{{govukAssetPath}}rebrand/images/govuk-icon-mask.svg" color="#1d70b8">
+    <link rel="apple-touch-icon" href="{{govukAssetPath}}rebrand/images/govuk-icon-180.png">
+    <link rel="manifest" href="{{govukAssetPath}}rebrand/manifest.json">
+    <meta property="og:image" content="{{govukAssetPath}}rebrand/images/govuk-opengraph-image.png">
   </head>
 
   <body class="{{$bodyClasses}}{{/bodyClasses}} govuk-template__body  js-enabled" >

package/frontend/template-mixins/mixins/template-mixins.js

@@ -359,7 +359,7 @@ module.exports = function (options) {
         renderWith: inputText,
         options: {
           maxlength: 18,
-          className: 'govuk-input govuk-input--extra-letter-spacing'
+          className: 'govuk-input'
         }
       },
       'input-file': {

package/frontend/template-mixins/partials/forms/checkbox.html

@@ -1,6 +1,6 @@
 <div id="{{key}}-group" class="govuk-form-group {{#compound}} form-group-compound{{/compound}}{{#formGroupClassName}} {{formGroupClassName}}{{/formGroupClassName}}{{#error}} govuk-form-group--error{{/error}}">
     {{#error}}
-    <p class="govuk-error-message" aria-hidden="true">
+    <p id="{{key}}-error" class="govuk-error-message" aria-hidden="true">
         <span class="govuk-visually-hidden">Error:</span> {{error.message}}
     </p>
     {{/error}}

package/frontend/themes/gov-uk/styles/govuk.scss

@@ -1,7 +1,7 @@
 // App styles
 
 // set the default image directory
-$path: "/public/images/" !default;
+$path: "/images/" !default;
 
 // GOV.UK front end toolkit
 // Sass variables, mixins and functions

package/frontend/toolkit/index.js

@@ -1,10 +1,10 @@
 module.exports = {
-  helpers: require('./assets/rebrand/javascript/helpers'),
-  formFocus: require('./assets/rebrand/javascript/form-focus'),
-  progressiveReveal: require('./assets/rebrand/javascript/progressive-reveal'),
-  validation: require('./assets/rebrand/javascript/validation'),
+  helpers: require('./assets/javascript/helpers'),
+  formFocus: require('./assets/javascript/form-focus'),
+  progressiveReveal: require('./assets/javascript/progressive-reveal'),
+  validation: require('./assets/javascript/validation'),
   detailsSummary: function () {
-    require('./assets/rebrand/javascript/vendor/details.polyfill');
+    require('./assets/javascript/vendor/details.polyfill');
   },
-  characterCount: require('./assets/rebrand/javascript/character-count')
+  characterCount: require('./assets/javascript/character-count')
 };

package/index.js

@@ -158,7 +158,7 @@ function bootstrap(options) {
     res.locals.htmlLang = config.htmlLang;
     res.locals.cookieName = config.session.name;
     // session timeout warning configs
-    res.locals.sessionTimeOut = config.session.ttl;
+    res.locals.sessionTimeOut = process.env.CUSTOM_SESSION_EXPIRY || config.session.ttl;
     res.locals.sessionTimeOutWarning = config.sessionTimeOutWarning;
     res.locals.sessionTimeoutWarningContent = config.sessionTimeoutWarningContent;
     res.locals.exitFormContent = config.exitFormContent;
@@ -238,8 +238,8 @@ function bootstrap(options) {
     app.use(hofMiddleware.rateLimiter(config, 'requests'));
   }
 
-  // Set up routing so <YOUR-SITE-URL>/assets are served from /node_modules/govuk-frontend/govuk/assets/rebrand
-  app.use('/assets', express.static(path.join(__dirname, '/node_modules/govuk-frontend/govuk/assets/rebrand')));
+  // Set up routing so <YOUR-SITE-URL>/assets are served from /node_modules/govuk-frontend/govuk/assets
+  app.use('/assets', express.static(path.join(__dirname, '/node_modules/govuk-frontend/govuk/assets')));
   // Check if service has been paused and redirect accordingly
   const bypassPaths = ['/assets', '/healthcheck', '/service-unavailable'];
 
@@ -254,26 +254,32 @@ function bootstrap(options) {
 
   /**
    * Handles requests to the session timeout page.
+   * For custom session timeout handling that is not linked to the redis session ttl,
+   * set `CUSTOM_SESSION_EXPIRY` variables to the relevant time and `USE_CUSTOM_SESSION_TIMEOUT`variables to true.
+   * If `CUSTOM_SESSION_EXPIRY` and `USE_CUSTOM_SESSION_TIMEOUT` envs are set,
+   * include '/session-timeout' step in the project's index.js.
    * - If the user has a session cookie but their session is missing or inactive,
    *   this triggers a session timeout error handled by error middleware.
    * - Otherwise, responds with a 404 "Page Not Found" error.
    * This route ensures the timeout page only appears after an actual session expiry.
   */
-  app.get('/session-timeout', (req, res, next) => {
-    if ((req.cookies['hof-wizard-sc']) && (!req.session || req.session.exists !== true)) {
-      const err = new Error('Session expired');
-      err.code = 'SESSION_TIMEOUT';
-      return next(err);
-    }
-    const err = new Error('Not Found');
-    err.status = 404;
-    const locals = Object.assign({}, req.translate('errors'));
-    if (locals && locals['404']) {
-      return res.status(404).render('404', locals['404']);
-    }
-    // Fallback: render a basic 404 page if translation is missing
-    return res.status(404).send('Page Not Found');
-  });
+  if (!config.useCustomSessionTimeout) {
+    app.get('/session-timeout', (req, res, next) => {
+      if ((req.cookies['hof-wizard-sc']) && (!req.session || req.session.exists !== true)) {
+        const err = new Error('Session expired');
+        err.code = 'SESSION_TIMEOUT';
+        return next(err);
+      }
+      const err = new Error('Not Found');
+      err.status = 404;
+      const locals = Object.assign({}, req.translate('errors'));
+      if (locals && locals['404']) {
+        return res.status(404).render('404', locals['404']);
+      }
+      // Fallback: render a basic 404 page if translation is missing
+      return res.status(404).send('Page Not Found');
+    });
+  }
 
   if (config.getAccessibility === true) {
     deprecate(

package/lib/encryption.js

@@ -1,23 +1,49 @@
-/* eslint-disable */ 
 'use strict';
 
-const crypto = require('crypto');
+const crypto = require('node:crypto');
 const algorithm = 'aes-256-cbc';
+const ivLength = 16;
 
-module.exports = password => ({
-
-  encrypt: text => {
-    const cipher = crypto.createCipher(algorithm, password);
-    let crypted = cipher.update(text, 'utf8', 'hex');
-    crypted += cipher.final('hex');
-    return crypted;
-  },
-
-  decrypt: text => {
-    const decipher = crypto.createDecipher(algorithm, password);
-    let dec = decipher.update(text, 'hex', 'utf8');
-    dec += decipher.final('utf8');
-    return dec;
+/**
+ * Creates an encryption utility with AES-256-CBC algorithm.
+ * Provides encrypt and decrypt methods that use a random IV for each encryption operation.
+ *
+ * @module encryption
+ * @param {string|Buffer} secret - Must be exactly 32 bytes
+ * @returns {Object} Encryption utility object
+ * @throws {Error} If secret is not exactly 32 bytes
+ */
+module.exports = secret => {
+  const encryptionKey = Buffer.from(secret, 'utf8');
+  if (encryptionKey.byteLength !== 32) {
+    throw new Error(`Encryption secret must be exactly 32 bytes. Provided: ${encryptionKey.byteLength} bytes.`);
   }
 
-});
+  return {
+    encrypt: text => {
+      try {
+        const iv = crypto.randomBytes(ivLength);
+        const cipher = crypto.createCipheriv(algorithm, encryptionKey, iv);
+        let encrypted = cipher.update(text, 'utf8');
+        encrypted = Buffer.concat([encrypted, cipher.final()]);
+        return iv.toString('hex') + ':' + encrypted.toString('hex');
+      } catch (error) {
+        throw new Error(`Encryption failed: ${error.message}`);
+      }
+    },
+
+    decrypt: text => {
+      try {
+        const textParts = text.split(':');
+        const iv = Buffer.from(textParts.shift(), 'hex');
+        const encryptedText = Buffer.from(textParts.join(':'), 'hex');
+        const decipher = crypto.createDecipheriv(algorithm, encryptionKey, iv);
+        let decrypted = decipher.update(encryptedText);
+        decrypted = Buffer.concat([decrypted, decipher.final()]);
+        return decrypted.toString('utf8');
+      } catch (error) {
+        throw new Error(`Decryption failed: ${error.message}`);
+      }
+    }
+  };
+};

package/lib/sessions.js

@@ -10,8 +10,11 @@ const secureHttps = config => config.protocol === 'https' || config.env === 'pro
 module.exports = (app, config) => {
   const logger = config.logger || console;
 
-  if (config.env === 'production' && config.session.secret === 'changethis') {
-    throw new Error('Session secret must be set to a unique random string for production environments');
+  const secretBuffer = Buffer.from(config.session.secret, 'utf8');
+  if (secretBuffer.byteLength !== 32) {
+    throw new Error(
+      `Session secret must be exactly 32 bytes. Current: ${secretBuffer.byteLength} bytes.`
+    );
   }
 
   app.use(cookieParser(config.session.secret, {