Do i need to add the port?

My app runs on port 8080 in development and port 80 in production.

I have a config variable I can use, but it includes http://example.com:8080 or http://example.com

Can I just use that

app.use(require('node-force-domain').redirect(cfg.site_url));

npm audit report

express <=4.17.2 || 5.0.0-alpha.1 - 5.0.0-alpha.8
Severity: high
qs vulnerable to Prototype Pollution - GHSA-hrpp-h998-j3pp
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of qs
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/forcedomain/node_modules/express
forcedomain >=2.1.0
Depends on vulnerable versions of express
node_modules/forcedomain

qs 6.7.0 - 6.7.2
Severity: high
qs vulnerable to Prototype Pollution - GHSA-hrpp-h998-j3pp
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/forcedomain/node_modules/qs
body-parser 1.19.0
Depends on vulnerable versions of qs
node_modules/forcedomain/node_modules/body-parser

4 high severity vulnerabilities

Hello,

we are using your module, it is great.
But there is some small issue about dependency.

In this package is dependency (lodash) locked to specific version. Which means that there should not be used any other version.

For example after using your module it makes these dependecies:
[email protected], lodash@^4.0.0, lodash@^4.11.1, lodash@^4.17.10, lodash@^4.17.4, lodash@^4.17.5, lodash@^4.2.0, lodash@^4.3.0, lodash@~4.17.4

as you can see there are multiple differenent versions required. But all begins with caret symbol (^) can increase minor version. And there is one with tilde (~) so patch version can be increased.

But your module doesn't use any characted. So only lodash version 4.17.10 is used within whole app.

Currently it is not problem because lodash latest version is 4.17.10, but in future lodash can't be updated.

can you update lodash to the latest version. The used version is vulnerability and need to be update as soon as possible

You fixed lodash last prototype pollution with this commit: 9c64412. Great! Could you please release it so we can ugrade forcedomain version?

(some background in this SO comment)

When an incoming request doesn't have a port number in the Host header, forcedomain uses a value of undefined to match against the port value passed in the options. This means that setting a port value of 80 in the options will cause redirect loops (because undefined !== 80).

This behaviour is somewhat documented, but not very explicitly. I think that most users will assume that passing port : 80 works just like it does with any other port number.

FWIW, passing a string value as port number also yields unexpected behaviour (which was the reason for the abovementioned SO question being asked to begin with).

It seems like this works for the root of the website but not for other urls., e.g.

https://risiko.online --> https://www.risiko.online
https://risiko.online/demo --> https://risiko.online/demo

Is this the expected behavior or am I doing something wrong?

Thanks!! :-)

Hi,

I've just testest forcedomain, but I got an issue:

// forcedomain
app.use(force({
    hostname : 'mywebsite.com'
}));

make a 307 redirect, for a 301 redirect, I needed to

app.use(force({
    hostname : 'mywebsite.com',
    type     : 'permanent' 
}));

Is that the default behavior ?

I use lvh.me since my app has subdomain and I can't use localhost, 127.0.0.1, nor 192.168.x.x for that. In my production and staging environment, this package works well on redirecting non-www to www.

Code:

app.use(forceDomain({ hostname: `www.${host}` }));

But in my dev environment, I am getting too many redirects error. For it to work on dev, I need to add port: 3001 and make sure to not commit it.

I am thinking that we can add another option like this:

forceDomain({ dev: process.env.NODE_ENV === 'development' });

Where dev option is a boolean, that if it's a dev environment don't use forcedomain.

I think the condition can be added here:
https://github.com/thenativeweb/forcedomain/blob/master/lib/redirect.ts#L20

This way we can make use of process.env.NODE_ENV variable for the value of dev.

What do you think? I can work on this if it's welcome.

If not I will just create a condition on my app to use port if it's dev.

So I'm using it as following and my site uses the following;

app.use(forceDomain({ hostname: 'www.mydomain.com' }));

The thing is that it tries to redirect to http version of the same url within https - this should be prevented.

I'm getting an infinite redirect loop - using cloudfront to force ssl. Anyone experienced this?

npm audit shows a Prototype Pollution vulnerability arising from the dependancy on lodash 4.17.15.

Great package! Just a small note that package might better be called 'force-domain' per the npm naming guidelines.

Similar to the exclusion for localhost, it would be nice if 192.186.x.x could be excluded as well. This is commonly used for testing on other devices on the same private network as the device that has the server running.

I'm trying to redirect all trafic in www to NON-WWW hostname. Is there possible using forcedomain?

I'm receiving 504 Gateway Time-out always.

code:

if (process.env.NODE_ENV === "production") {
  console.log("--- NODE_ENV: ", process.env.NODE_ENV);
  app.use(req => {
    console.log("-- what is the host? ", req.get("host"));
    console.log( "-- what is the host replaced? ", req.get("host").replace("www.", ""));

    return forceDomain({
      hostname: req.get("host").replace("www.", ""),
      protocol: "https"
    });
  });
}

output:

what is the : host?  www.mysite-env.sa-east-1.elasticbeanstalk.com
what is the host replaced?  misite-env.sa-east-1.elasticbeanstalk.com