Redirect from HTTP to HTTPS using meta redirects
Go to file
AJ ONeal b4a4a7220a v1.1.4 2018-02-27 15:37:00 -07:00
.gitignore Initial commit 2015-06-19 09:15:45 -06:00
LICENSE Initial commit 2015-06-19 09:15:45 -06:00
README.md workaround for malforrmed url 2018-02-26 12:02:44 -07:00
example.js option for URI decoded, but still html escaped urls 2015-07-07 17:30:56 -06:00
index.js use non-decodable url 2018-02-27 14:20:43 -07:00
package.json v1.1.4 2018-02-27 15:37:00 -07:00
test.js fix #2 2016-11-21 15:45:05 -07:00

README.md

redirect-https

Redirect from HTTP to HTTPS using meta redirects

See https://coolaj86.com/articles/secure-your-redirects/

Installation and Usage

npm install --save redirect-https
'use strict';

var express = require('express');
var app = express();

app.use('/', require('redirect-https')({
  body: '<!-- Hello Mr Developer! Please use HTTPS instead -->'
}));

module.exports = app;

Options

{ port: 443           // defaults to 443
, body: ''            // defaults to an html comment to use https
, trustProxy: true    // useful if you haven't set this option in express
}
  • This module will call next() if the connection is already tls / https.
  • If trustProxy is true, and X-Forward-Proto is https, next() will be called.
  • If you use {{URL}} in the body text it will be replaced with a URI encoded and HTML escaped url (it'll look just like it is)
  • If you use {{HTML_URL}} in the body text it will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar)

Demo

'use strict';

var http = require('http');
var server = http.createServer();
var securePort = process.argv[2] || 8443;
var insecurePort = process.argv[3] || 8080;

server.on('request', require('redirect-https')({
  port: securePort
, body: '<!-- Hello! Please use HTTPS instead -->'
, trustProxy: true // default is false
}));

server.listen(insecurePort, function () {
  console.log('Listening on http://localhost.daplie.com:' + server.address().port);
});

Why meta redirects?

When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice.

Using a meta redirect will break requests from curl and api calls from a programming language, but still have all the SEO and speed benefits of a normal 301.

<html><head>
<meta http-equiv="refresh" content="0;URL='https://example.com/foo'" />
</head><body>
<!-- Hello Mr. Developer! Please use https instead. Thank you! -->
</html>

Other strategies

If your application is properly separated between static assets and api, then it would probably be more beneficial to return a 200 OK with an error message inside

Security

The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it so that no malicious links of this sort will yield unexpected behavior:

  • http://localhost.daplie.com:8080/"><script>alert('hi')</script>
  • http://localhost.daplie.com:8080/';URL=http://example.com
  • http://localhost.daplie.com:8080/;URL=http://example.com