From c10a310c20f0db1cc453b64183aa65dc517b6b3c Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Sun, 26 Apr 2020 17:40:00 -0600 Subject: [PATCH] doc and formatting updates --- README.md | 97 +++++++++++++++++++++++++---------------------- package-lock.json | 13 +++++++ package.json | 7 ++-- 3 files changed, 68 insertions(+), 49 deletions(-) create mode 100644 package-lock.json diff --git a/README.md b/README.md index 3cd50bf..07b7e2f 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,11 @@ Secure-by-default redirects from HTTP to HTTPS. -* Browsers get a 301 + Location redirect -* Only developers, bots, and APIs see security warning (advising to use HTTPS) -* Always uses meta redirect as a fallback, for everyone -* '/' always gets a 301 (for `curl | bash` installers) -* minimally configurable, don't get fancy +- Browsers get a 301 + Location redirect +- Only developers, bots, and APIs see security warning (advising to use HTTPS) +- Always uses meta redirect as a fallback, for everyone +- '/' always gets a 301 (for `curl | bash` installers) +- minimally configurable, don't get fancy See @@ -17,14 +17,16 @@ npm install --save redirect-https ``` ```js -'use strict'; +"use strict"; -var express = require('express'); +var express = require("express"); var app = express(); -app.use('/', require('redirect-https')({ - body: '' -})); +var redirector = require("redirect-https")({ + body: "" +}); + +app.use("/", redirector); module.exports = app; ``` @@ -40,10 +42,37 @@ module.exports = app; } ``` -* This module will call `next()` if the connection is already tls / https. -* If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called. -* If you use `{{URL}}` in the body text it will be replaced with a URI encoded and HTML escaped url (it'll look just like it is) -* If you use `{{HTML_URL}}` in the body text it will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar) +- This module will call `next()` if the connection is already tls / https. +- If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called. +- `{{ URL }}` in the body text will be replaced with a URI encoded and HTML escaped url (it'll look just like it is) +- `{{ HTML_URL }}` in the body text will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar) +- `{{ UNSAFE_URL }}` is the raw, original url + +## Demo + +```javascript +"use strict"; + +var http = require("http"); +var server = http.createServer(); +var securePort = process.argv[2] || 8443; +var insecurePort = process.argv[3] || 8080; + +var redirector = require("redirect-https")({ + port: securePort, + body: "", + trustProxy: true // default is false +}); + +server.on("request", redirector); + +server.listen(insecurePort, function () { + console.log( + "Listening on http://localhost.rootprojects.org:" + + server.address().port + ); +}); +``` ## Advanced Options @@ -51,40 +80,16 @@ For the sake of `curl | bash` installers and the like there is also the option t to get a certain redirect for an exact path match: ```js -{ paths: [ - { match: '/' - , redirect: 301 - } - , { match: /^\/$/ - , redirect: 301 - } - ] +{ + paths: [ + { match: "/", redirect: 301 }, + { match: /^\/$/, redirect: 301 } + ]; } ``` If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too). -## Demo - -```javascript -'use strict'; - -var http = require('http'); -var server = http.createServer(); -var securePort = process.argv[2] || 8443; -var insecurePort = process.argv[3] || 8080; - -server.on('request', require('redirect-https')({ - port: securePort -, body: '' -, trustProxy: true // default is false -})); - -server.listen(insecurePort, function () { - console.log('Listening on http://localhost.pplwink.com:' + server.address().port); -}); -``` - # Meta redirect by default, but why? When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice. @@ -108,6 +113,6 @@ If your application is properly separated between static assets and api, then it The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it so that no malicious links of this sort will yield unexpected behavior: - * `http://localhost.pplwink.com:8080/">` - * `http://localhost.pplwink.com:8080/';URL=http://example.com` - * `http://localhost.pplwink.com:8080/;URL=http://example.com` +- `http://localhost.rootprojects.org:8080/">` +- `http://localhost.rootprojects.org:8080/';URL=http://example.com` +- `http://localhost.rootprojects.org:8080/;URL=http://example.com` diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 0000000..35529cf --- /dev/null +++ b/package-lock.json @@ -0,0 +1,13 @@ +{ + "name": "redirect-https", + "version": "1.3.1", + "lockfileVersion": 1, + "requires": true, + "dependencies": { + "escape-html": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz", + "integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg=" + } + } +} diff --git a/package.json b/package.json index 5ee089e..76c3eb3 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "redirect-https", - "version": "1.3.0", + "version": "1.3.1", "description": "Redirect from HTTP to HTTPS using meta redirects", "main": "index.js", "scripts": { @@ -8,7 +8,7 @@ }, "repository": { "type": "git", - "url": "git+https://git.coolaj86.com/coolaj86/redirect-https.js.git" + "url": "https://git.coolaj86.com/coolaj86/redirect-https.js.git" }, "keywords": [ "https", @@ -27,5 +27,6 @@ "homepage": "https://git.coolaj86.com/coolaj86/redirect-https.js#readme", "dependencies": { "escape-html": "^1.0.3" - } + }, + "devDependencies": {} }