redirect-https.js
Secure-by-default redirects from HTTP to HTTPS.
- Browsers get a 301 + Location redirect
- Only developers, bots, and APIs see security warning (advising to use HTTPS)
- Always uses meta redirect as a fallback, for everyone
- '/' always gets a 301 (for
curl | bash
installers) - minimally configurable, don't get fancy
See https://coolaj86.com/articles/secure-your-redirects/
Installation and Usage
npm install --save redirect-https
"use strict"; var express = ;var app = ; var redirector = body: "<!-- Hello Developer! Please use HTTPS instead: {{ URL }} -->"; app; moduleexports = app;
Options
port: 443 // defaults to 443 body: '' // defaults to an html comment to use https trustProxy: true // useful if you haven't set this option in express browsers: 301 // issue 301 redirect if the user-agent contains "Mozilla/" apis: 'meta' // issue meta redirects to non-browsers
- This module will call
next()
if the connection is already tls / https. - If
trustProxy
is true, andX-Forward-Proto
is https,next()
will be called. {{ URL }}
in the body text will be replaced with a URI encoded and HTML escaped url (it'll look just like it is){{ HTML_URL }}
in the body text will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar){{ UNSAFE_URL }}
is the raw, original url
Demo
"use strict"; var http = ;var server = http;var securePort = processargv2 || 8443;var insecurePort = processargv3 || 8080; var redirector = port: securePort body: "<!-- Hello! Please use HTTPS instead: {{ URL }} -->" trustProxy: true // default is false; server; server;
Advanced Options
For the sake of curl | bash
installers and the like there is also the option to cause bots and apis (i.e. curl)
to get a certain redirect for an exact path match:
paths: match: "/" redirect: 301 match: /^\/$/ redirect: 301 ;
If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too).
Meta redirect by default, but why?
When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice.
Using a meta redirect will break requests from curl
and api calls from a programming language, but still have all the SEO and speed benefits of a normal 301
.
<!-- Hello Mr. Developer! Please use https instead. Thank you! -->
Other strategies
If your application is properly separated between static assets and api, then it would probably be more beneficial to return a 200 OK with an error message inside
Security
The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it so that no malicious links of this sort will yield unexpected behavior:
http://localhost.rootprojects.org:8080/"><script>alert('hi')</script>
http://localhost.rootprojects.org:8080/';URL=http://example.com
http://localhost.rootprojects.org:8080/;URL=http://example.com