Nascent Political Miscreant

    redirect-https

    1.3.1 • Public • Published

    redirect-https.js

    Secure-by-default redirects from HTTP to HTTPS.

    • Browsers get a 301 + Location redirect
    • Only developers, bots, and APIs see security warning (advising to use HTTPS)
    • Always uses meta redirect as a fallback, for everyone
    • '/' always gets a 301 (for curl | bash installers)
    • minimally configurable, don't get fancy

    See https://coolaj86.com/articles/secure-your-redirects/

    Installation and Usage

    npm install --save redirect-https
    "use strict";
     
    var express = require("express");
    var app = express();
     
    var redirector = require("redirect-https")({
        body: "<!-- Hello Developer! Please use HTTPS instead: {{ URL }} -->"
    });
     
    app.use("/", redirector);
     
    module.exports = app;

    Options

    { port: 443           // defaults to 443
    , body: ''            // defaults to an html comment to use https
    , trustProxy: true    // useful if you haven't set this option in express
    , browsers: 301       // issue 301 redirect if the user-agent contains "Mozilla/"
    , apis: 'meta'        // issue meta redirects to non-browsers
    }
    • This module will call next() if the connection is already tls / https.
    • If trustProxy is true, and X-Forward-Proto is https, next() will be called.
    • {{ URL }} in the body text will be replaced with a URI encoded and HTML escaped url (it'll look just like it is)
    • {{ HTML_URL }} in the body text will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar)
    • {{ UNSAFE_URL }} is the raw, original url

    Demo

    "use strict";
     
    var http = require("http");
    var server = http.createServer();
    var securePort = process.argv[2] || 8443;
    var insecurePort = process.argv[3] || 8080;
     
    var redirector = require("redirect-https")({
        port: securePort,
        body: "<!-- Hello! Please use HTTPS instead: {{ URL }} -->",
        trustProxy: true // default is false
    });
     
    server.on("request", redirector);
     
    server.listen(insecurePort, function () {
        console.log(
            "Listening on http://localhost.rootprojects.org:" +
                server.address().port
        );
    });

    Advanced Options

    For the sake of curl | bash installers and the like there is also the option to cause bots and apis (i.e. curl) to get a certain redirect for an exact path match:

    {
        paths: [
            { match: "/", redirect: 301 },
            { match: /^\/$/, redirect: 301 }
        ];
    }

    If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too).

    Meta redirect by default, but why?

    When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice.

    Using a meta redirect will break requests from curl and api calls from a programming language, but still have all the SEO and speed benefits of a normal 301.

    <html><head>
    <meta http-equiv="refresh" content="0;URL='https://example.com/foo'" />
    </head><body>
    <!-- Hello Mr. Developer! Please use https instead. Thank you! -->
    </html>

    Other strategies

    If your application is properly separated between static assets and api, then it would probably be more beneficial to return a 200 OK with an error message inside

    Security

    The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it so that no malicious links of this sort will yield unexpected behavior:

    • http://localhost.rootprojects.org:8080/"><script>alert('hi')</script>
    • http://localhost.rootprojects.org:8080/';URL=http://example.com
    • http://localhost.rootprojects.org:8080/;URL=http://example.com

    Install

    npm i redirect-https

    DownloadsWeekly Downloads

    21,578

    Version

    1.3.1

    License

    (MIT OR Apache-2.0)

    Unpacked Size

    21.5 kB

    Total Files

    6

    Last publish

    Collaborators

    • avatar