hengkiardo / express-enforces-ssl Goto Github PK

Enforces SSL for Node.js ExpressJS projects

JavaScript 100.00%

express-enforces-ssl's Introduction

express-enforces-ssl

This simple module enforces HTTPS connections on any incoming requests. In case of a non-encrypted HTTP request, express-enforces-ssl automatically redirects to an HTTPS address using a 301 permanent redirect.

express-enforces-ssl also works behind reverse proxies (load balancers) as they are for example used by Heroku and nodejitsu. In such cases, however, the trustProxy parameter has to be set (see below)

Usage

First, install the module:

$ npm install express-enforces-ssl --save

Afterwards, require the module and use the HTTPS() method:

var express = require('express');
var http = require('http');
var express_enforces_ssl = require('express-enforces-ssl');

var app = express();

app.enable('trust proxy');

app.use(express_enforces_ssl());

/*
    Routes Here
*/

http.createServer(app).listen(app.get('port'), function() {
	console.log('Express server listening on port ' + app.get('port'));
});

LICENCE

MIT

express-enforces-ssl's People

Contributors

Stargazers

Watchers

Forkers

geekingfrog evanhahn psirenny dyme smartmobileapps pianyu digideskio ipapasa bitoneinc fengzimu claudio-viola wazbat keneucker pravinshahi0007

express-enforces-ssl's Issues

localhost

403 when authentication headers are sent

The redirect is convenient, but if you're using authentication headers, the fact that the web server processes the request can lead to insecure behavior: developer sends secret token over HTTP, and if the client library automatically follows redirects, everything works, but the token was exposed.

I suggest you respond with 403 when using authentication, similar to what you do with non-GETs.

Um Please Help, What Is This? Thanks Although

Hi, I have an app that only works when I go to it via https. If you visit "http://gameof.ninja" it just hangs and doesn't respond, but if you visit "https://gameof.ninja" it works.

I thought that this project would help me so that when I go to "http://gameof.ninja" it forwards to https and works, but that doesn't seem to be the case since I installed and followed instructions but still hangs when I visit "http://gameof.ninja". Am I totally misunderstanding what this project is supposed to do? Thanks.

You've created a new version but published the old one

Hi there!

When you install version 1.1.0, you will still get the old version. See https://unpkg.com/[email protected]/index.js

trustProxy argument seems unnecessary

Hello!

I jus saw your module appear on echo js. I just wanted to let you know that it seems that the trustProxy argument to your module seems unnecessary. This is because req.secure in express already checks the proxy header is the user setup their "trust proxy" option in their express app.

The reason I bring this up is because X-Forwarded-Proto may actually be a comma-separated list, which this module does not handle. In addition, "trust proxy" in express allows users to choose the source IPs they can actually trust, while your option will blindly trust the header from all requests, which may be spoofed.

Happy coding!

Deprecated message using express 4.16.3

I receive this message when trying to use this package with express:

express deprecated res.send(status, body): Use res.status(status).send(body) instead node_modules/express-enforces-ssl/index.js:21:7

res.headers.host isn't necessarily set in HTTP 1.0

This might create some fun bugs.

Redirect to https://mydomain.com using express redirect fails while using http://mydomain.com work shouldn't it work regardless for https without timing out.

So for proper context when I use response.redirect("https://website.com") in my code while using your package the redirect times-out using http then works. Shouldn't it just work for all circumstances?