coolaj86
/
redirect-https.js
1
0
Fork 0
Code Issues Pull Requests Releases Activity

v1.2.0: browsers shall pass, apis... not so much

This commit is contained in:
AJ ONeal 2018-10-02 17:49:24 -06:00
parent 6d9d63ba2a
commit a403ccde39
3 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -1,6 +1,9 @@
# redirect-https # redirect-https
Redirect from HTTP to HTTPS Redirect from HTTP to HTTPS.
Makes for a seemless experience to end users in browsers (defaults to `301 Permanent + Location` redirect)
and tightens security for apis and bots, without adversely affecting strange browsers (fallback to `meta` redirect).
See <https://coolaj86.com/articles/secure-your-redirects/> See <https://coolaj86.com/articles/secure-your-redirects/>
@ -29,6 +32,8 @@ module.exports = app;
{ port: 443 // defaults to 443 { port: 443 // defaults to 443
, body: '' // defaults to an html comment to use https , body: '' // defaults to an html comment to use https
, trustProxy: true // useful if you haven't set this option in express , trustProxy: true // useful if you haven't set this option in express
, browsers: 301 // issue 301 redirect if the user-agent contains "Mozilla/"
, apis: 'meta' // issue meta redirects to non-browsers
} }
``` ```

17
index.js
View File

@ -6,9 +6,15 @@ module.exports = function (opts) {
if (!opts) { if (!opts) {
opts = {}; opts = {};
} }
if (isNaN(opts.port)) { if (!isFinite(opts.port)) {
opts.port = 443; opts.port = 443;
} }
if (!opts.browsers) {
opts.browsers = 301;
}
if (!opts.apis) {
opts.apis = 'meta';
}
if (!('body' in opts)) { if (!('body' in opts)) {
opts.body = "<!-- Hello Developer Person! We don't serve insecure resources around here." opts.body = "<!-- Hello Developer Person! We don't serve insecure resources around here."
+ "\n Please use HTTPS instead. -->"; + "\n Please use HTTPS instead. -->";
@ -25,6 +31,10 @@ module.exports = function (opts) {
} }
var url = (req.originalUrl || req.url); var url = (req.originalUrl || req.url);
// We don't want chrome showing the "Not Secure" badge during the redirect.
var probablyBrowser = (0 === (req.headers['user-agent']||'').indexOf('Mozilla/'));
// But we don't want devs, APIs, or Bots to accidentally browse insecure.
var redirect = probablyBrowser ? opts.browsers : opts.apis;
var host = req.headers.host || ''; var host = req.headers.host || '';
if (!/:\d+/.test(host) && 443 !== opts.port) { if (!/:\d+/.test(host) && 443 !== opts.port) {
// we are using standard port 80, but we aren't using standard port 443 // we are using standard port 80, but we aren't using standard port 443
@ -59,8 +69,9 @@ module.exports = function (opts) {
+ '</html>\n' + '</html>\n'
; ;
if (opts.headerRedirect) { // If it's not a non-0 number (because null is 0) then 'meta' is assumed.
res.statusCode = opts.headerRedirect.responseCode || 302; if (redirect && isFinite(redirect)) {
res.statusCode = redirect;
res.setHeader('Location', newLocation); res.setHeader('Location', newLocation);
} }
res.setHeader('Content-Type', 'text/html; charset=utf-8'); res.setHeader('Content-Type', 'text/html; charset=utf-8');

2
package.json
View File

@ -1,6 +1,6 @@
{ {
"name": "redirect-https", "name": "redirect-https",
"version": "1.1.6", "version": "1.2.0",
"description": "Redirect from HTTP to HTTPS using meta redirects", "description": "Redirect from HTTP to HTTPS using meta redirects",
"main": "index.js", "main": "index.js",
"scripts": { "scripts": {