doc and formatting updates
This commit is contained in:
parent
0e5fff5c4a
commit
c10a310c20
97
README.md
97
README.md
|
@ -2,11 +2,11 @@
|
|||
|
||||
Secure-by-default redirects from HTTP to HTTPS.
|
||||
|
||||
* Browsers get a 301 + Location redirect
|
||||
* Only developers, bots, and APIs see security warning (advising to use HTTPS)
|
||||
* Always uses meta redirect as a fallback, for everyone
|
||||
* '/' always gets a 301 (for `curl | bash` installers)
|
||||
* minimally configurable, don't get fancy
|
||||
- Browsers get a 301 + Location redirect
|
||||
- Only developers, bots, and APIs see security warning (advising to use HTTPS)
|
||||
- Always uses meta redirect as a fallback, for everyone
|
||||
- '/' always gets a 301 (for `curl | bash` installers)
|
||||
- minimally configurable, don't get fancy
|
||||
|
||||
See <https://coolaj86.com/articles/secure-your-redirects/>
|
||||
|
||||
|
@ -17,14 +17,16 @@ npm install --save redirect-https
|
|||
```
|
||||
|
||||
```js
|
||||
'use strict';
|
||||
"use strict";
|
||||
|
||||
var express = require('express');
|
||||
var express = require("express");
|
||||
var app = express();
|
||||
|
||||
app.use('/', require('redirect-https')({
|
||||
body: '<!-- Hello Mr Developer! Please use HTTPS instead -->'
|
||||
}));
|
||||
var redirector = require("redirect-https")({
|
||||
body: "<!-- Hello Developer! Please use HTTPS instead: {{ URL }} -->"
|
||||
});
|
||||
|
||||
app.use("/", redirector);
|
||||
|
||||
module.exports = app;
|
||||
```
|
||||
|
@ -40,10 +42,37 @@ module.exports = app;
|
|||
}
|
||||
```
|
||||
|
||||
* This module will call `next()` if the connection is already tls / https.
|
||||
* If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called.
|
||||
* If you use `{{URL}}` in the body text it will be replaced with a URI encoded and HTML escaped url (it'll look just like it is)
|
||||
* If you use `{{HTML_URL}}` in the body text it will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar)
|
||||
- This module will call `next()` if the connection is already tls / https.
|
||||
- If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called.
|
||||
- `{{ URL }}` in the body text will be replaced with a URI encoded and HTML escaped url (it'll look just like it is)
|
||||
- `{{ HTML_URL }}` in the body text will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar)
|
||||
- `{{ UNSAFE_URL }}` is the raw, original url
|
||||
|
||||
## Demo
|
||||
|
||||
```javascript
|
||||
"use strict";
|
||||
|
||||
var http = require("http");
|
||||
var server = http.createServer();
|
||||
var securePort = process.argv[2] || 8443;
|
||||
var insecurePort = process.argv[3] || 8080;
|
||||
|
||||
var redirector = require("redirect-https")({
|
||||
port: securePort,
|
||||
body: "<!-- Hello! Please use HTTPS instead: {{ URL }} -->",
|
||||
trustProxy: true // default is false
|
||||
});
|
||||
|
||||
server.on("request", redirector);
|
||||
|
||||
server.listen(insecurePort, function () {
|
||||
console.log(
|
||||
"Listening on http://localhost.rootprojects.org:" +
|
||||
server.address().port
|
||||
);
|
||||
});
|
||||
```
|
||||
|
||||
## Advanced Options
|
||||
|
||||
|
@ -51,40 +80,16 @@ For the sake of `curl | bash` installers and the like there is also the option t
|
|||
to get a certain redirect for an exact path match:
|
||||
|
||||
```js
|
||||
{ paths: [
|
||||
{ match: '/'
|
||||
, redirect: 301
|
||||
}
|
||||
, { match: /^\/$/
|
||||
, redirect: 301
|
||||
}
|
||||
]
|
||||
{
|
||||
paths: [
|
||||
{ match: "/", redirect: 301 },
|
||||
{ match: /^\/$/, redirect: 301 }
|
||||
];
|
||||
}
|
||||
```
|
||||
|
||||
If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too).
|
||||
|
||||
## Demo
|
||||
|
||||
```javascript
|
||||
'use strict';
|
||||
|
||||
var http = require('http');
|
||||
var server = http.createServer();
|
||||
var securePort = process.argv[2] || 8443;
|
||||
var insecurePort = process.argv[3] || 8080;
|
||||
|
||||
server.on('request', require('redirect-https')({
|
||||
port: securePort
|
||||
, body: '<!-- Hello! Please use HTTPS instead -->'
|
||||
, trustProxy: true // default is false
|
||||
}));
|
||||
|
||||
server.listen(insecurePort, function () {
|
||||
console.log('Listening on http://localhost.pplwink.com:' + server.address().port);
|
||||
});
|
||||
```
|
||||
|
||||
# Meta redirect by default, but why?
|
||||
|
||||
When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice.
|
||||
|
@ -108,6 +113,6 @@ If your application is properly separated between static assets and api, then it
|
|||
The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it
|
||||
so that no malicious links of this sort will yield unexpected behavior:
|
||||
|
||||
* `http://localhost.pplwink.com:8080/"><script>alert('hi')</script>`
|
||||
* `http://localhost.pplwink.com:8080/';URL=http://example.com`
|
||||
* `http://localhost.pplwink.com:8080/;URL=http://example.com`
|
||||
- `http://localhost.rootprojects.org:8080/"><script>alert('hi')</script>`
|
||||
- `http://localhost.rootprojects.org:8080/';URL=http://example.com`
|
||||
- `http://localhost.rootprojects.org:8080/;URL=http://example.com`
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
{
|
||||
"name": "redirect-https",
|
||||
"version": "1.3.1",
|
||||
"lockfileVersion": 1,
|
||||
"requires": true,
|
||||
"dependencies": {
|
||||
"escape-html": {
|
||||
"version": "1.0.3",
|
||||
"resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
|
||||
"integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg="
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "redirect-https",
|
||||
"version": "1.3.0",
|
||||
"version": "1.3.1",
|
||||
"description": "Redirect from HTTP to HTTPS using meta redirects",
|
||||
"main": "index.js",
|
||||
"scripts": {
|
||||
|
@ -8,7 +8,7 @@
|
|||
},
|
||||
"repository": {
|
||||
"type": "git",
|
||||
"url": "git+https://git.coolaj86.com/coolaj86/redirect-https.js.git"
|
||||
"url": "https://git.coolaj86.com/coolaj86/redirect-https.js.git"
|
||||
},
|
||||
"keywords": [
|
||||
"https",
|
||||
|
@ -27,5 +27,6 @@
|
|||
"homepage": "https://git.coolaj86.com/coolaj86/redirect-https.js#readme",
|
||||
"dependencies": {
|
||||
"escape-html": "^1.0.3"
|
||||
}
|
||||
},
|
||||
"devDependencies": {}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue