doc and formatting updates

README.md

@@ -2,11 +2,11 @@
 
 Secure-by-default redirects from HTTP to HTTPS.
 
-* Browsers get a 301 + Location redirect
+-   Browsers get a 301 + Location redirect
-* Only developers, bots, and APIs see security warning (advising to use HTTPS)
+-   Only developers, bots, and APIs see security warning (advising to use HTTPS)
-* Always uses meta redirect as a fallback, for everyone
+-   Always uses meta redirect as a fallback, for everyone
-* '/' always gets a 301 (for `curl | bash` installers)
+-   '/' always gets a 301 (for `curl | bash` installers)
-* minimally configurable, don't get fancy
+-   minimally configurable, don't get fancy
 
 See <https://coolaj86.com/articles/secure-your-redirects/>
 
@@ -17,14 +17,16 @@ npm install --save redirect-https
 ```
 
 ```js
-'use strict';
+"use strict";
 
-var express = require('express');
+var express = require("express");
 var app = express();
 
-app.use('/', require('redirect-https')({
+var redirector = require("redirect-https")({
-  body: '<!-- Hello Mr Developer! Please use HTTPS instead -->'
+    body: "<!-- Hello Developer! Please use HTTPS instead: {{ URL }} -->"
-}));
+});
+
+app.use("/", redirector);
 
 module.exports = app;
 ```
@@ -40,10 +42,37 @@ module.exports = app;
 }
 ```
 
-* This module will call `next()` if the connection is already tls / https.
+-   This module will call `next()` if the connection is already tls / https.
-* If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called.
+-   If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called.
-* If you use `{{URL}}` in the body text it will be replaced with a URI encoded and HTML escaped url (it'll look just like it is)
+-   `{{ URL }}` in the body text will be replaced with a URI encoded and HTML escaped url (it'll look just like it is)
-* If you use `{{HTML_URL}}` in the body text it will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar)
+-   `{{ HTML_URL }}` in the body text will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar)
+-   `{{ UNSAFE_URL }}` is the raw, original url
+
+## Demo
+
+```javascript
+"use strict";
+
+var http = require("http");
+var server = http.createServer();
+var securePort = process.argv[2] || 8443;
+var insecurePort = process.argv[3] || 8080;
+
+var redirector = require("redirect-https")({
+    port: securePort,
+    body: "<!-- Hello! Please use HTTPS instead: {{ URL }} -->",
+    trustProxy: true // default is false
+});
+
+server.on("request", redirector);
+
+server.listen(insecurePort, function () {
+    console.log(
+        "Listening on http://localhost.rootprojects.org:" +
+            server.address().port
+    );
+});
+```
 
 ## Advanced Options
 
@@ -51,40 +80,16 @@ For the sake of `curl | bash` installers and the like there is also the option t
 to get a certain redirect for an exact path match:
 
 ```js
-{ paths: [
+{
-    { match: '/'
+    paths: [
-    , redirect: 301
+        { match: "/", redirect: 301 },
-    }
+        { match: /^\/$/, redirect: 301 }
-  , { match: /^\/$/
+    ];
-    , redirect: 301
-    }
-  ]
 }
 ```
 
 If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too).
 
-## Demo
-
-```javascript
-'use strict';
-
-var http = require('http');
-var server = http.createServer();
-var securePort = process.argv[2] || 8443;
-var insecurePort = process.argv[3] || 8080;
-
-server.on('request', require('redirect-https')({
-  port: securePort
-, body: '<!-- Hello! Please use HTTPS instead -->'
-, trustProxy: true // default is false
-}));
-
-server.listen(insecurePort, function () {
-  console.log('Listening on http://localhost.pplwink.com:' + server.address().port);
-});
-```
-
 # Meta redirect by default, but why?
 
 When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice.
@@ -108,6 +113,6 @@ If your application is properly separated between static assets and api, then it
 The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it
 so that no malicious links of this sort will yield unexpected behavior:
 
-  * `http://localhost.pplwink.com:8080/"><script>alert('hi')</script>`
+-   `http://localhost.rootprojects.org:8080/"><script>alert('hi')</script>`
-  * `http://localhost.pplwink.com:8080/';URL=http://example.com`
+-   `http://localhost.rootprojects.org:8080/';URL=http://example.com`
-  * `http://localhost.pplwink.com:8080/;URL=http://example.com`
+-   `http://localhost.rootprojects.org:8080/;URL=http://example.com`

package-lock.json

@@ -0,0 +1,13 @@
+{
+  "name": "redirect-https",
+  "version": "1.3.1",
+  "lockfileVersion": 1,
+  "requires": true,
+  "dependencies": {
+    "escape-html": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
+      "integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg="
+    }
+  }
+}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "redirect-https",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "description": "Redirect from HTTP to HTTPS using meta redirects",
   "main": "index.js",
   "scripts": {
@@ -8,7 +8,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "git+https://git.coolaj86.com/coolaj86/redirect-https.js.git"
+    "url": "https://git.coolaj86.com/coolaj86/redirect-https.js.git"
   },
   "keywords": [
     "https",
@@ -27,5 +27,6 @@
   "homepage": "https://git.coolaj86.com/coolaj86/redirect-https.js#readme",
   "dependencies": {
     "escape-html": "^1.0.3"
-  }
+  },
+  "devDependencies": {}
 }