Neanderthals Paint Mammals


Need private packages and team management tools?Check out npm Orgs. »


1.3.0 • Public • Published


Secure-by-default redirects from HTTP to HTTPS.

  • Browsers get a 301 + Location redirect
  • Only developers, bots, and APIs see security warning (advising to use HTTPS)
  • Always uses meta redirect as a fallback, for everyone
  • '/' always gets a 301 (for curl | bash installers)
  • minimally configurable, don't get fancy


Installation and Usage

npm install --save redirect-https
'use strict';
var express = require('express');
var app = express();
app.use('/', require('redirect-https')({
  body: '<!-- Hello Mr Developer! Please use HTTPS instead -->'
module.exports = app;


{ port: 443           // defaults to 443
, body: ''            // defaults to an html comment to use https
, trustProxy: true    // useful if you haven't set this option in express
, browsers: 301       // issue 301 redirect if the user-agent contains "Mozilla/"
, apis: 'meta'        // issue meta redirects to non-browsers
  • This module will call next() if the connection is already tls / https.
  • If trustProxy is true, and X-Forward-Proto is https, next() will be called.
  • If you use {{URL}} in the body text it will be replaced with a URI encoded and HTML escaped url (it'll look just like it is)
  • If you use {{HTML_URL}} in the body text it will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar)

Advanced Options

For the sake of curl | bash installers and the like there is also the option to cause bots and apis (i.e. curl) to get a certain redirect for an exact path match:

{ paths: [
    { match: '/'
    , redirect: 301
  , { match: /^\/$/
    , redirect: 301

If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too).


'use strict';
var http = require('http');
var server = http.createServer();
var securePort = process.argv[2] || 8443;
var insecurePort = process.argv[3] || 8080;
server.on('request', require('redirect-https')({
  port: securePort
, body: '<!-- Hello! Please use HTTPS instead -->'
, trustProxy: true // default is false
server.listen(insecurePort, function () {
  console.log('Listening on' + server.address().port);

Meta redirect by default, but why?

When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice.

Using a meta redirect will break requests from curl and api calls from a programming language, but still have all the SEO and speed benefits of a normal 301.

<meta http-equiv="refresh" content="0;URL=''" />
<!-- Hello Mr. Developer! Please use https instead. Thank you! -->

Other strategies

If your application is properly separated between static assets and api, then it would probably be more beneficial to return a 200 OK with an error message inside


The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it so that no malicious links of this sort will yield unexpected behavior:



npm i redirect-https

Downloadsweekly downloads





(MIT OR Apache-2.0)



last publish


  • avatar
Report a vulnerability