2015-06-19 15:33:15 +00:00
# redirect-https
2015-06-19 15:15:45 +00:00
Redirect from HTTP to HTTPS using meta redirects
2015-06-19 15:33:15 +00:00
2015-07-07 23:19:44 +00:00
## Installation and Usage
2015-06-19 15:33:15 +00:00
```bash
npm install --save redirect-https
```
2015-07-07 23:19:44 +00:00
```js
'use strict';
var express = require('express');
var app = express();
app.use('/', require('redirect-https')({
body: '<!-- Hello Mr Developer! Please use HTTPS instead --> '
}));
module.exports = app;
```
## Options
```
{ port: 443 // defaults to 443
, body: '' // defaults to an html comment to use https
, trustProxy: true // useful if you haven't set this option in express
}
```
* This module will call `next()` if the connection is already tls / https.
* If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called.
* If you use `{{URL}}` in the body text it will be replaced with the url
## Demo
2015-06-19 15:33:15 +00:00
```javascript
2015-07-07 23:19:44 +00:00
'use strict';
2015-06-19 15:33:15 +00:00
var http = require('http');
var server = http.createServer();
2015-07-07 23:19:44 +00:00
var securePort = 8443;
var insecurePort = process.argv[2] || 8080;
2015-06-19 15:33:15 +00:00
server.on('request', require('redirect-https')({
2015-07-07 23:19:44 +00:00
port: securePort
2015-06-19 15:33:15 +00:00
, body: '<!-- Hello! Please use HTTPS instead --> '
2015-07-07 23:19:44 +00:00
, trustProxy: true // default is false
2015-06-19 15:33:15 +00:00
}));
2015-07-07 23:19:44 +00:00
server.listen(insecurePort, function () {
console.log('Listening on http://localhost.daplie.com:' + server.address().port);
});
2015-06-19 15:33:15 +00:00
```
# Why meta redirects?
When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice.
Using a meta redirect will break requests from `curl` and api calls from a programming language, but still have all the SEO and speed benefits of a normal `301` .
```html
< html > < head >
< meta http-equiv = "refresh" content = "0;URL='https://example.com/foo'" / >
< / head > < body >
<!-- Hello Mr. Developer! Please use https instead. Thank you! -->
< / html >
```
# Other strategies
If your application is properly separated between static assets and api, then it would probably be more beneficial to return a 200 OK with an error message inside
2015-07-07 23:19:44 +00:00
# Security
The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it
so that no malicious links of this sort will yield unexpected behavior:
* `http://localhost.daplie.com:8080/"><script>alert('hi')</script>`
* `http://localhost.daplie.com:8080/';URL=http://example.com`
* `http://localhost.daplie.com:8080/;URL=http://example.com`