v1.2.0: browsers shall pass, apis... not so much
This commit is contained in:
parent
6d9d63ba2a
commit
a403ccde39
|
@ -1,6 +1,9 @@
|
||||||
# redirect-https
|
# redirect-https
|
||||||
|
|
||||||
Redirect from HTTP to HTTPS
|
Redirect from HTTP to HTTPS.
|
||||||
|
|
||||||
|
Makes for a seemless experience to end users in browsers (defaults to `301 Permanent + Location` redirect)
|
||||||
|
and tightens security for apis and bots, without adversely affecting strange browsers (fallback to `meta` redirect).
|
||||||
|
|
||||||
See <https://coolaj86.com/articles/secure-your-redirects/>
|
See <https://coolaj86.com/articles/secure-your-redirects/>
|
||||||
|
|
||||||
|
@ -29,6 +32,8 @@ module.exports = app;
|
||||||
{ port: 443 // defaults to 443
|
{ port: 443 // defaults to 443
|
||||||
, body: '' // defaults to an html comment to use https
|
, body: '' // defaults to an html comment to use https
|
||||||
, trustProxy: true // useful if you haven't set this option in express
|
, trustProxy: true // useful if you haven't set this option in express
|
||||||
|
, browsers: 301 // issue 301 redirect if the user-agent contains "Mozilla/"
|
||||||
|
, apis: 'meta' // issue meta redirects to non-browsers
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
17
index.js
17
index.js
|
@ -6,9 +6,15 @@ module.exports = function (opts) {
|
||||||
if (!opts) {
|
if (!opts) {
|
||||||
opts = {};
|
opts = {};
|
||||||
}
|
}
|
||||||
if (isNaN(opts.port)) {
|
if (!isFinite(opts.port)) {
|
||||||
opts.port = 443;
|
opts.port = 443;
|
||||||
}
|
}
|
||||||
|
if (!opts.browsers) {
|
||||||
|
opts.browsers = 301;
|
||||||
|
}
|
||||||
|
if (!opts.apis) {
|
||||||
|
opts.apis = 'meta';
|
||||||
|
}
|
||||||
if (!('body' in opts)) {
|
if (!('body' in opts)) {
|
||||||
opts.body = "<!-- Hello Developer Person! We don't serve insecure resources around here."
|
opts.body = "<!-- Hello Developer Person! We don't serve insecure resources around here."
|
||||||
+ "\n Please use HTTPS instead. -->";
|
+ "\n Please use HTTPS instead. -->";
|
||||||
|
@ -25,6 +31,10 @@ module.exports = function (opts) {
|
||||||
}
|
}
|
||||||
|
|
||||||
var url = (req.originalUrl || req.url);
|
var url = (req.originalUrl || req.url);
|
||||||
|
// We don't want chrome showing the "Not Secure" badge during the redirect.
|
||||||
|
var probablyBrowser = (0 === (req.headers['user-agent']||'').indexOf('Mozilla/'));
|
||||||
|
// But we don't want devs, APIs, or Bots to accidentally browse insecure.
|
||||||
|
var redirect = probablyBrowser ? opts.browsers : opts.apis;
|
||||||
var host = req.headers.host || '';
|
var host = req.headers.host || '';
|
||||||
if (!/:\d+/.test(host) && 443 !== opts.port) {
|
if (!/:\d+/.test(host) && 443 !== opts.port) {
|
||||||
// we are using standard port 80, but we aren't using standard port 443
|
// we are using standard port 80, but we aren't using standard port 443
|
||||||
|
@ -59,8 +69,9 @@ module.exports = function (opts) {
|
||||||
+ '</html>\n'
|
+ '</html>\n'
|
||||||
;
|
;
|
||||||
|
|
||||||
if (opts.headerRedirect) {
|
// If it's not a non-0 number (because null is 0) then 'meta' is assumed.
|
||||||
res.statusCode = opts.headerRedirect.responseCode || 302;
|
if (redirect && isFinite(redirect)) {
|
||||||
|
res.statusCode = redirect;
|
||||||
res.setHeader('Location', newLocation);
|
res.setHeader('Location', newLocation);
|
||||||
}
|
}
|
||||||
res.setHeader('Content-Type', 'text/html; charset=utf-8');
|
res.setHeader('Content-Type', 'text/html; charset=utf-8');
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"name": "redirect-https",
|
"name": "redirect-https",
|
||||||
"version": "1.1.6",
|
"version": "1.2.0",
|
||||||
"description": "Redirect from HTTP to HTTPS using meta redirects",
|
"description": "Redirect from HTTP to HTTPS using meta redirects",
|
||||||
"main": "index.js",
|
"main": "index.js",
|
||||||
"scripts": {
|
"scripts": {
|
||||||
|
|
Loading…
Reference in New Issue