Daplie is Taking Back the Internet! -------------- [![](https://daplie.github.com/igg/images/ad-developer-rpi-white-890x275.jpg?v2)](https://daplie.com/preorder/) Stop serving the empire and join the rebel alliance! * [Invest in Daplie on Wefunder](https://daplie.com/invest/) * [Pre-order Cloud](https://daplie.com/preorder/), The World's First Home Server for Everyone # redirect-https Redirect from HTTP to HTTPS using meta redirects See ## Installation and Usage ```bash npm install --save redirect-https ``` ```js 'use strict'; var express = require('express'); var app = express(); app.use('/', require('redirect-https')({ body: '' })); module.exports = app; ``` ## Options ``` { port: 443 // defaults to 443 , body: '' // defaults to an html comment to use https , trustProxy: true // useful if you haven't set this option in express } ``` * This module will call `next()` if the connection is already tls / https. * If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called. * If you use `{{URL}}` in the body text it will be replaced with a URI encoded and HTML escaped url (it'll look just like it is) * If you use `{{HTML_URL}}` in the body text it will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar) ## Demo ```javascript 'use strict'; var http = require('http'); var server = http.createServer(); var securePort = process.argv[2] || 8443; var insecurePort = process.argv[3] || 8080; server.on('request', require('redirect-https')({ port: securePort , body: '' , trustProxy: true // default is false })); server.listen(insecurePort, function () { console.log('Listening on http://localhost.daplie.com:' + server.address().port); }); ``` # Why meta redirects? When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice. Using a meta redirect will break requests from `curl` and api calls from a programming language, but still have all the SEO and speed benefits of a normal `301`. ```html ``` # Other strategies If your application is properly separated between static assets and api, then it would probably be more beneficial to return a 200 OK with an error message inside # Security The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it so that no malicious links of this sort will yield unexpected behavior: * `http://localhost.daplie.com:8080/">` * `http://localhost.daplie.com:8080/';URL=http://example.com` * `http://localhost.daplie.com:8080/;URL=http://example.com`