Redirect from HTTP to HTTPS using meta redirects
Secure-by-default redirects from HTTP to HTTPS.
- Browsers get a 301 + Location redirect
- Only developers, bots, and APIs see security warning (advising to use HTTPS)
- Always uses meta redirect as a fallback, for everyone
- '/' always gets a 301 (for curl | bash installers)
- minimally configurable, don't get fancy
See
``bash`
npm install --save redirect-https
`js
"use strict";
var express = require("express");
var app = express();
var redirector = require("redirect-https")({
body: ""
});
app.use("/", redirector);
module.exports = app;
`
`js`
{ port: 443 // defaults to 443
, body: '' // defaults to an html comment to use https
, trustProxy: true // useful if you haven't set this option in express
, browsers: 301 // issue 301 redirect if the user-agent contains "Mozilla/"
, apis: 'meta' // issue meta redirects to non-browsers
}
- This module will call next() if the connection is already tls / https.trustProxy
- If is true, and X-Forward-Proto is https, next() will be called.{{ URL }}
- in the body text will be replaced with a URI encoded and HTML escaped url (it'll look just like it is){{ HTML_URL }}
- in the body text will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar){{ UNSAFE_URL }}
- is the raw, original url
`javascript
"use strict";
var http = require("http");
var server = http.createServer();
var securePort = process.argv[2] || 8443;
var insecurePort = process.argv[3] || 8080;
var redirector = require("redirect-https")({
port: securePort,
body: "",
trustProxy: true // default is false
});
server.on("request", redirector);
server.listen(insecurePort, function () {
console.log(
"Listening on http://localhost.rootprojects.org:" +
server.address().port
);
});
`
For the sake of curl | bash installers and the like there is also the option to cause bots and apis (i.e. curl)
to get a certain redirect for an exact path match:
`js`
{
paths: [
{ match: "/", redirect: 301 },
{ match: /^\/$/, redirect: 301 }
];
}
If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too).
When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice.
Using a meta redirect will break requests from curl and api calls from a programming language, but still have all the SEO and speed benefits of a normal 301.
`html`
If your application is properly separated between static assets and api, then it would probably be more beneficial to return a 200 OK with an error message inside
The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it
so that no malicious links of this sort will yield unexpected behavior:
- http://localhost.rootprojects.org:8080/">
-
-