express-force-ssl

Extremely simple middleware for requiring some or all pages to be visited over SSL.

Installation

$ npm install express-force-ssl

Configuration

As of v0.3.0 there are some configuration options

NEW Settings Option

app.set('forceSSLOptions', {
  enable301Redirects: true,
  trustXFPHeader: false,
  httpsPort: 443,
  sslRequiredMessage: 'SSL Required.'
});

enable301Redirects - Defaults to true - the normal behavior is to 301 redirect GET requests to the https version of a website. Changing this value to false will cause even GET requests to 403 SSL Required errors.

trustXFPHeader - Defaults to false - this behavior is NEW and will be default NOT TRUST X-Forwarded-Proto which could allow a client to spoof whether or not they were on HTTPS or not. This can be changed to true if you are behind a proxy where you trust the X-Forwarded-Proto header.

httpsPort - Previous this value was set with app.set('httpsPort', :portNumber) which is now deprecated. This value should now be set in the forceSSLOptions setting.

sslRequiredMessage - Defaults to SSL Required. This can be useful if you want to localize your error messages.

Per-Route SSL Settings are now possible

Settings in your forceSSLOptions configuration will act as default settings for your app. However, these values can be overridden by setting res.locals values before the the express-force-ssl middleware is run. For example:

app.set('forceSSLOptions', {
  enable301Redirects: false
});
 
app.get('/', forceSSL, function (req, res) {
  //this route will 403 if accessed via HTTP
  return res.send('HTTPS only.');
});
 
function allow301 (req, res, next) {
  res.locals.forceSSLOptions = {
    enable301Redirects: true
  };
  next();
}
 
app.get('/allow', allow301, forceSSL, function (req, res) {
  //this route will NOT 403 if accessed via HTTP
  return res.send('HTTP or HTTPS');
});
 

Examples

Force SSL on all pages

var express = require('express');
var forceSSL = require('express-force-ssl');
var fs = require('fs');
var http = require('http');
var https = require('https');
 
var ssl_options = {
  key: fs.readFileSync('./keys/private.key'),
  cert: fs.readFileSync('./keys/cert.crt'),
  ca: fs.readFileSync('./keys/intermediate.crt')
};
 
var app = express();
var server = http.createServer(app);
var secureServer = https.createServer(ssl_options, app);
 
app.use(express.bodyParser());
app.use(forceSSL);
app.use(app.router);
 
secureServer.listen(443)
server.listen(80)
 

Only certain pages SSL

var express = require('express');
var forceSSL = require('express-force-ssl');
var fs = require('fs');
var http = require('http');
var https = require('https');
 
var ssl_options = {
  key: fs.readFileSync('./keys/private.key')
  cert: fs.readFileSync('./keys/cert.crt')
  ca: fs.readFileSync('./keys/intermediate.crt')
};
 
var app = express();
 
var server = http.createServer(app);
var secureServer = https.createServer(ssl_options, app);
 
app.use(express.bodyParser());
app.use(app.router);
 
app.get('/', somePublicFunction);
app.get('/user/:name', somePublicFunction);
app.get('/login', forceSSL, someSecureFunction);
app.get('/logout', forceSSL, someSecureFunction);
 
secureServer.listen(443)
server.listen(80)

Custom Server Port Support

If your server isn't listening on 80/443 respectively, you can change this pretty simply.

 
var app = express();
app.set('forceSSLOptions', {
  httpsPort: 8443
});
 
var server = http.createServer(app);
var secureServer = https.createServer(ssl_options, app);
 
...
 
secureServer.listen(443)
server.listen(80)
 

Test

npm test

Change Log

v0.3.2 - Updated README to remove typo. Thanks @gswalden

v0.3.1 - Updated README to remove deprecated usage and fix some typos. Thanks @Alfredo-Delgado and @glennr

v0.3.0 - Added additional configuration options, ability to add per route configuration options

v0.2.13 - Bug Fix, thanks @tatepostnikoff

v0.2.12 - Bug Fix

v0.2.11 - Updated README to fix usage example typo and formatting fixes

v0.2.10 - Updated README for npmjs.com markdown changes

v0.2.9 - More modular tests.

v0.2.8 - Now sends 403 SSL Required error when HTTP method is anything but GET. This will prevent a POST/PUT etc with data that will end up being lost in a redirect.

v0.2.7 - Additional Test cases. Added example server.

v0.2.6 - Added Tests

v0.2.5 - Bug Fix

v0.2.4 - Now also checking X-Forwarded-Proto header to determine SSL connection Courtesy of @ronco

v0.2.3 - Update README

v0.2.2 - Redirect now gives a 301 permanent redirection HTTP Status Code Courtesy of @tixz

v0.2.0 - Added support for ports other than 80/443 for non-secure/secure ports. For example, if you host your non-ssl site on port 8080 and your secure site on 8443, version 0.1.x did not support it. Now, out of the box your non-ssl site port will be recognized, and to specify a port other than 443 for your ssl port you just have to add a setting in your express config like so: Update, this method of setting httpsPort is deprecated as of v 0.3.0

app.set('httpsPort', 8443);

and the plugin will check for it and use it. Defaults to 443 of course.

v0.1.1 - Bug fix Courtesy of @timshadel