doc and formatting updates

This commit is contained in:
AJ ONeal 2020-04-26 17:40:00 -06:00
parent 0e5fff5c4a
commit c10a310c20
3 changed files with 68 additions and 49 deletions

View File

@ -2,11 +2,11 @@
Secure-by-default redirects from HTTP to HTTPS. Secure-by-default redirects from HTTP to HTTPS.
* Browsers get a 301 + Location redirect - Browsers get a 301 + Location redirect
* Only developers, bots, and APIs see security warning (advising to use HTTPS) - Only developers, bots, and APIs see security warning (advising to use HTTPS)
* Always uses meta redirect as a fallback, for everyone - Always uses meta redirect as a fallback, for everyone
* '/' always gets a 301 (for `curl | bash` installers) - '/' always gets a 301 (for `curl | bash` installers)
* minimally configurable, don't get fancy - minimally configurable, don't get fancy
See <https://coolaj86.com/articles/secure-your-redirects/> See <https://coolaj86.com/articles/secure-your-redirects/>
@ -17,14 +17,16 @@ npm install --save redirect-https
``` ```
```js ```js
'use strict'; "use strict";
var express = require('express'); var express = require("express");
var app = express(); var app = express();
app.use('/', require('redirect-https')({ var redirector = require("redirect-https")({
body: '<!-- Hello Mr Developer! Please use HTTPS instead -->' body: "<!-- Hello Developer! Please use HTTPS instead: {{ URL }} -->"
})); });
app.use("/", redirector);
module.exports = app; module.exports = app;
``` ```
@ -40,10 +42,37 @@ module.exports = app;
} }
``` ```
* This module will call `next()` if the connection is already tls / https. - This module will call `next()` if the connection is already tls / https.
* If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called. - If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called.
* If you use `{{URL}}` in the body text it will be replaced with a URI encoded and HTML escaped url (it'll look just like it is) - `{{ URL }}` in the body text will be replaced with a URI encoded and HTML escaped url (it'll look just like it is)
* If you use `{{HTML_URL}}` in the body text it will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar) - `{{ HTML_URL }}` in the body text will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar)
- `{{ UNSAFE_URL }}` is the raw, original url
## Demo
```javascript
"use strict";
var http = require("http");
var server = http.createServer();
var securePort = process.argv[2] || 8443;
var insecurePort = process.argv[3] || 8080;
var redirector = require("redirect-https")({
port: securePort,
body: "<!-- Hello! Please use HTTPS instead: {{ URL }} -->",
trustProxy: true // default is false
});
server.on("request", redirector);
server.listen(insecurePort, function () {
console.log(
"Listening on http://localhost.rootprojects.org:" +
server.address().port
);
});
```
## Advanced Options ## Advanced Options
@ -51,40 +80,16 @@ For the sake of `curl | bash` installers and the like there is also the option t
to get a certain redirect for an exact path match: to get a certain redirect for an exact path match:
```js ```js
{ paths: [ {
{ match: '/' paths: [
, redirect: 301 { match: "/", redirect: 301 },
} { match: /^\/$/, redirect: 301 }
, { match: /^\/$/ ];
, redirect: 301
}
]
} }
``` ```
If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too). If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too).
## Demo
```javascript
'use strict';
var http = require('http');
var server = http.createServer();
var securePort = process.argv[2] || 8443;
var insecurePort = process.argv[3] || 8080;
server.on('request', require('redirect-https')({
port: securePort
, body: '<!-- Hello! Please use HTTPS instead -->'
, trustProxy: true // default is false
}));
server.listen(insecurePort, function () {
console.log('Listening on http://localhost.pplwink.com:' + server.address().port);
});
```
# Meta redirect by default, but why? # Meta redirect by default, but why?
When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice. When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice.
@ -108,6 +113,6 @@ If your application is properly separated between static assets and api, then it
The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it
so that no malicious links of this sort will yield unexpected behavior: so that no malicious links of this sort will yield unexpected behavior:
* `http://localhost.pplwink.com:8080/"><script>alert('hi')</script>` - `http://localhost.rootprojects.org:8080/"><script>alert('hi')</script>`
* `http://localhost.pplwink.com:8080/';URL=http://example.com` - `http://localhost.rootprojects.org:8080/';URL=http://example.com`
* `http://localhost.pplwink.com:8080/;URL=http://example.com` - `http://localhost.rootprojects.org:8080/;URL=http://example.com`

13
package-lock.json generated Normal file
View File

@ -0,0 +1,13 @@
{
"name": "redirect-https",
"version": "1.3.1",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
"escape-html": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
"integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg="
}
}
}

View File

@ -1,6 +1,6 @@
{ {
"name": "redirect-https", "name": "redirect-https",
"version": "1.3.0", "version": "1.3.1",
"description": "Redirect from HTTP to HTTPS using meta redirects", "description": "Redirect from HTTP to HTTPS using meta redirects",
"main": "index.js", "main": "index.js",
"scripts": { "scripts": {
@ -8,7 +8,7 @@
}, },
"repository": { "repository": {
"type": "git", "type": "git",
"url": "git+https://git.coolaj86.com/coolaj86/redirect-https.js.git" "url": "https://git.coolaj86.com/coolaj86/redirect-https.js.git"
}, },
"keywords": [ "keywords": [
"https", "https",
@ -27,5 +27,6 @@
"homepage": "https://git.coolaj86.com/coolaj86/redirect-https.js#readme", "homepage": "https://git.coolaj86.com/coolaj86/redirect-https.js#readme",
"dependencies": { "dependencies": {
"escape-html": "^1.0.3" "escape-html": "^1.0.3"
} },
"devDependencies": {}
} }