Compare commits

..

No commits in common. "c10a310c20f0db1cc453b64183aa65dc517b6b3c" and "7375a550eb936814a17f1db154a315579b28afad" have entirely different histories.

4 changed files with 138 additions and 158 deletions

View File

@ -2,11 +2,11 @@
Secure-by-default redirects from HTTP to HTTPS.
- Browsers get a 301 + Location redirect
- Only developers, bots, and APIs see security warning (advising to use HTTPS)
- Always uses meta redirect as a fallback, for everyone
- '/' always gets a 301 (for `curl | bash` installers)
- minimally configurable, don't get fancy
* Browsers get a 301 + Location redirect
* Only developers, bots, and APIs see security warning (advising to use HTTPS)
* Always uses meta redirect as a fallback, for everyone
* '/' always gets a 301 (for `curl | bash` installers)
* minimally configurable, don't get fancy
See <https://coolaj86.com/articles/secure-your-redirects/>
@ -17,16 +17,14 @@ npm install --save redirect-https
```
```js
"use strict";
'use strict';
var express = require("express");
var express = require('express');
var app = express();
var redirector = require("redirect-https")({
body: "<!-- Hello Developer! Please use HTTPS instead: {{ URL }} -->"
});
app.use("/", redirector);
app.use('/', require('redirect-https')({
body: '<!-- Hello Mr Developer! Please use HTTPS instead -->'
}));
module.exports = app;
```
@ -42,37 +40,10 @@ module.exports = app;
}
```
- This module will call `next()` if the connection is already tls / https.
- If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called.
- `{{ URL }}` in the body text will be replaced with a URI encoded and HTML escaped url (it'll look just like it is)
- `{{ HTML_URL }}` in the body text will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar)
- `{{ UNSAFE_URL }}` is the raw, original url
## Demo
```javascript
"use strict";
var http = require("http");
var server = http.createServer();
var securePort = process.argv[2] || 8443;
var insecurePort = process.argv[3] || 8080;
var redirector = require("redirect-https")({
port: securePort,
body: "<!-- Hello! Please use HTTPS instead: {{ URL }} -->",
trustProxy: true // default is false
});
server.on("request", redirector);
server.listen(insecurePort, function () {
console.log(
"Listening on http://localhost.rootprojects.org:" +
server.address().port
);
});
```
* This module will call `next()` if the connection is already tls / https.
* If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called.
* If you use `{{URL}}` in the body text it will be replaced with a URI encoded and HTML escaped url (it'll look just like it is)
* If you use `{{HTML_URL}}` in the body text it will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar)
## Advanced Options
@ -80,16 +51,40 @@ For the sake of `curl | bash` installers and the like there is also the option t
to get a certain redirect for an exact path match:
```js
{
paths: [
{ match: "/", redirect: 301 },
{ match: /^\/$/, redirect: 301 }
];
{ paths: [
{ match: '/'
, redirect: 301
}
, { match: /^\/$/
, redirect: 301
}
]
}
```
If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too).
## Demo
```javascript
'use strict';
var http = require('http');
var server = http.createServer();
var securePort = process.argv[2] || 8443;
var insecurePort = process.argv[3] || 8080;
server.on('request', require('redirect-https')({
port: securePort
, body: '<!-- Hello! Please use HTTPS instead -->'
, trustProxy: true // default is false
}));
server.listen(insecurePort, function () {
console.log('Listening on http://localhost.pplwink.com:' + server.address().port);
});
```
# Meta redirect by default, but why?
When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice.
@ -113,6 +108,6 @@ If your application is properly separated between static assets and api, then it
The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it
so that no malicious links of this sort will yield unexpected behavior:
- `http://localhost.rootprojects.org:8080/"><script>alert('hi')</script>`
- `http://localhost.rootprojects.org:8080/';URL=http://example.com`
- `http://localhost.rootprojects.org:8080/;URL=http://example.com`
* `http://localhost.pplwink.com:8080/"><script>alert('hi')</script>`
* `http://localhost.pplwink.com:8080/';URL=http://example.com`
* `http://localhost.pplwink.com:8080/;URL=http://example.com`

View File

@ -1,7 +1,7 @@
"use strict";
'use strict';
module.exports = function (opts) {
var escapeHtml = require("escape-html");
var escapeHtml = require('escape-html');
if (!opts) {
opts = {};
@ -13,74 +13,73 @@ module.exports = function (opts) {
opts.browsers = 301;
}
if (!opts.apis) {
opts.apis = "meta";
opts.apis = 'meta';
}
if (!Array.isArray(opts.paths)) {
opts.paths = [{ match: "/" }];
opts.paths = [ { match: '/' } ];
}
if (!("body" in opts)) {
opts.body =
"<!-- Hello Developer Person! We don't serve insecure resources around here." +
"\n Please use HTTPS instead. -->";
if (!('body' in opts)) {
opts.body = "<!-- Hello Developer Person! We don't serve insecure resources around here."
+ "\n Please use HTTPS instead. -->";
}
opts.body = opts.body.replace(/{{\s+PORT\s+}}/gi, opts.port);
opts.body = opts.body.replace(/{{\s+PORT\s+}}/ig, opts.port);
return function (req, res, next) {
if (
req.connection.encrypted ||
"https" === req.protocol ||
(opts.trustProxy && "https" === req.headers["x-forwarded-proto"])
if (req.connection.encrypted
|| 'https' === req.protocol
|| (opts.trustProxy && 'https' === req.headers['x-forwarded-proto'])
) {
next();
return;
}
var url = req.originalUrl || req.url;
var url = (req.originalUrl || req.url);
// We don't want chrome showing the "Not Secure" badge during the redirect.
var probablyBrowser =
0 === (req.headers["user-agent"] || "").indexOf("Mozilla/");
var probablyBrowser = (0 === (req.headers['user-agent']||'').indexOf('Mozilla/'));
// But we don't want devs, APIs, or Bots to accidentally browse insecure.
var redirect = probablyBrowser ? opts.browsers : opts.apis;
var host = req.headers.host || "";
var host = req.headers.host || '';
if (!/:\d+/.test(host) && 443 !== opts.port) {
// we are using standard port 80, but we aren't using standard port 443
host += ":80";
host += ':80';
}
var newLocation =
"https://" + host.replace(/:\d+/, ":" + opts.port) + url;
var newLocation = 'https://'
+ host.replace(/:\d+/, ':' + opts.port) + url
;
//var encodedLocation = encodeURI(newLocation);
var escapedLocation = escapeHtml(newLocation);
var decodedLocation;
try {
decodedLocation = decodeURIComponent(newLocation);
} catch (e) {
} catch(e) {
decodedLocation = newLocation; // "#/error/?error_message=" + e.toString();
}
var body = opts.body
.replace(/{{\s*HTML_URL\s*}}/gi, escapeHtml(decodedLocation))
.replace(/{{\s*URL\s*}}/gi, escapedLocation)
.replace(/{{\s*UNSAFE_URL\s*}}/gi, newLocation);
var metaRedirect =
"" +
"<html>" +
'\n<head><META http-equiv="refresh" content="0;URL=\'' +
escapedLocation +
"'\"></head>" +
"\n<body>" +
body +
"</body>" +
"\n</html>\n";
.replace(/{{\s*HTML_URL\s*}}/ig, escapeHtml(decodedLocation))
.replace(/{{\s*URL\s*}}/ig, escapedLocation)
.replace(/{{\s*UNSAFE_URL\s*}}/ig, newLocation)
;
var metaRedirect = ''
+ '<html>\n'
+ '<head>\n'
//+ ' <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
+ ' <META http-equiv="refresh" content="0;URL=\'' + escapedLocation + '\'">\n'
+ '</head>\n'
+ '<body>\n' + body + '\n</body>\n'
+ '</html>\n'
;
var pathMatch;
opts.paths.some(function (p) {
if (!p.match) {
// ignore
} else if ("string" === typeof p.match) {
pathMatch = url === p.match && (p.redirect || 301);
} else if ('string' === typeof p.match) {
pathMatch = (url === p.match) && (p.redirect || 301);
} else {
pathMatch =
p.match.test && p.match.test(url) && (p.redirect || 301);
pathMatch = p.match.test && p.match.test(url) && (p.redirect || 301);
}
if (pathMatch) {
redirect = pathMatch;
@ -90,9 +89,9 @@ module.exports = function (opts) {
// If it's not a non-0 number (because null is 0) then 'meta' is assumed.
if (redirect && isFinite(redirect)) {
res.statusCode = redirect;
res.setHeader("Location", newLocation);
res.setHeader('Location', newLocation);
}
res.setHeader("Content-Type", "text/html; charset=utf-8");
res.setHeader('Content-Type', 'text/html; charset=utf-8');
res.end(metaRedirect);
};
};

13
package-lock.json generated
View File

@ -1,13 +0,0 @@
{
"name": "redirect-https",
"version": "1.3.1",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
"escape-html": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
"integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg="
}
}
}

View File

@ -1,6 +1,6 @@
{
"name": "redirect-https",
"version": "1.3.1",
"version": "1.3.0",
"description": "Redirect from HTTP to HTTPS using meta redirects",
"main": "index.js",
"scripts": {
@ -8,7 +8,7 @@
},
"repository": {
"type": "git",
"url": "https://git.coolaj86.com/coolaj86/redirect-https.js.git"
"url": "git+https://git.coolaj86.com/coolaj86/redirect-https.js.git"
},
"keywords": [
"https",
@ -27,6 +27,5 @@
"homepage": "https://git.coolaj86.com/coolaj86/redirect-https.js#readme",
"dependencies": {
"escape-html": "^1.0.3"
},
"devDependencies": {}
}
}