battlejj / express-force-ssl Goto Github PK
View Code? Open in Web Editor NEWMiddleware to force SSL on pages
License: MIT License
Middleware to force SSL on pages
License: MIT License
Hi @battlejj,
I just have a couple of recommendations for a more clear README.md
structure:
Following the more "standard" npm format allows devs to easier skim the README.md
, and hopefully, get more people to use the module. If you want I can submit a PR
Perhaps use a HTTP testing tool like supertest.
the express next() method sometimes trims req.url of the router prefix in lib/router/index.js (trim_prefix)
Has the following comments:
// Trim off the part of the url that matches the route
// middleware (.use stuff) needs to have the path stripped
When I changed your code to use req.originalUrl, it works.
A recent bug has opened the discussion about the need for tests for this middleware. I think it's good practice to have tests for any library, however, the fact that this one relies on SSL certificates has made me hesitant due to the not so amazing relationship node.js has with self-signed certificates.
So I am opened to ideas about the best way to approach this. If we can build reliable testing with a self-signed cert, I am more than happy to add that in, or another approach is also welcome if someone has a better idea.
As my title says, my app only redirect when i do GET for my default context (http://localhost:3000/) redirect to https (https:localhost:3001/) but if i GET the next URL http://localhost:3000/users/get/1 im redirect to https://localhost:3000/users/get/1 (port still being 3000)
i use the app.use('httpsPort', 3001)
Two new options currently being requested:
A 308 Redirect is similar to a permanent redirect, except it is intended for non-GET requests. In addition to permanently redirecting the user, any additional data (i.e. POST data) would also get sent again to the redirected resource. This is still an experimental status code at this time.
This feature would be an opt in. The default behavior of the library would be to 403 Error for any non-GET request. A simple flag enable308 could be set to true in order to turn this behavior on.
This feature would also be an opt in. The default behavior of the library would be to 301 Redirect GET requests to the secure location of the resource. Enabling this feature would cause GET requests to behave with the default behavior of any non-GET request and 403 Error. A simple flag of enableRedirects (option name is a work in progress, not exactly happy with it) would default to true. If this is set to false GET requests will return 403 errors if they are not SSL. In addition, if this option is false and enable308 is set to true, 308 redirects WILL NOT work and will 403 Error.
If anyone has any feedback about either of these features I'd be happy to discuss them as their implementation is not yet finalized.
There is some interest in being able to define options on a per route basis instead of just globally on/off behavior. This could possibly require a usage change and major version bump requirement.
When a non-secure request comes through that is not behind a proxy providing 'X-Forwarded-Proto' the following error occurs:
TypeError: Cannot call method 'toLowerCase' of undefined
This header can easily be spoofed and should only be trusted if the programmer configures it explicitly.
Hi!
For some reason I got a "req is undefined" error and I figured out that I needed to change this small part of your code:
exports = module.exports = function(req, res, next){
if(!isSecure(req)){
to this:
exports = module.exports = function() {
return function(req, res, next){
if(!isSecure(req)){
Also, instead of writing:
app.use(forceSSL);
I had to add:
app.use(forceSSL());
I'm not sure if this is a bug or not, but this is the only way forcing SSL works for me. Using Express 5.0.0alpha1
Let me know if you need any other informations.
Best Regards
Is there a reason you use a 301 redirect for GETs and a 403 for everything else instead of just redirecting all methods using a 307 or a 308? It seems to me that it would be a better experience for the user.
http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#3xx_Redirection
I receive this message when trying to use this package with express:
express deprecated res.send(status, body): Use res.status(status).send(body) instead node_modules/express-enforces-ssl/index.js:21:7
You document shows user should use:
app.use( 'httpsPort', 8443);
It should be:
app.set( 'httpsPort', 8443);
I
Hello, I'm interested in this module because I'm writting an application which needs to serve some pages under http
protocol and others under https
. But I think I've found an issue (maybe it is not an issue, let's see): I've taken your "test/index.js" server file and I've modified it a little, just to try what I want to get. I've added links in lines 29 and 33 of the file:
/*
Routes
*/
app.get('/', function (req, res) {
res.send('HTTP and HTTPS.' + '<br/><a href="/ssl">To ssl</a>');
});
app.get('/ssl', forceSSL, function (req, res) {
res.send('HTTPS only.' + '<br/><a href="/">To http</a><br/><a href="/ssl/nested/route/5">To nesetd ssl</a>');
});
As you can see it is done just to redirect from one page to another. Well, when I launch the application, it is opened in http
and displays the link to the ssl
page. That link works fine and redirects to the https
url specified.
But in this page, when I click on "To http" link the server redirects to the home page but using ssl
. Is that the expected behavior? I mean, it should redirect to home page but with http
protocol, isn't it?
I'm not sure if I've misunderstood something, but for some reason express-force-ssl
is not recognizing Heroku's SSL connections. If I set enable301Redirects
to false
and access through either http
or https
, then I can the error message. This this to true
Google Chrome gives me an error in chrome saying too many redirects were attempted.
Its important to note here that Google Chrome does say that the connection is private and successful. I've included the connection details below.
Any ideas?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.