battlejj / express-force-ssl Goto Github PK

Hi @battlejj,

I just have a couple of recommendations for a more clear README.md structure:

• Title and short description (just as now)
• Installation section (Example: mafintosh/whale)
• Examples/Usage (I'd prefer it in JS but your call 😋)
• Changelog
• License

Following the more "standard" npm format allows devs to easier skim the README.md, and hopefully, get more people to use the module. If you want I can submit a PR

Perhaps use a HTTP testing tool like supertest.

the express next() method sometimes trims req.url of the router prefix in lib/router/index.js (trim_prefix)

Has the following comments:
// Trim off the part of the url that matches the route
// middleware (.use stuff) needs to have the path stripped

When I changed your code to use req.originalUrl, it works.

A recent bug has opened the discussion about the need for tests for this middleware. I think it's good practice to have tests for any library, however, the fact that this one relies on SSL certificates has made me hesitant due to the not so amazing relationship node.js has with self-signed certificates.

So I am opened to ideas about the best way to approach this. If we can build reliable testing with a self-signed cert, I am more than happy to add that in, or another approach is also welcome if someone has a better idea.

As my title says, my app only redirect when i do GET for my default context (http://localhost:3000/) redirect to https (https:localhost:3001/) but if i GET the next URL http://localhost:3000/users/get/1 im redirect to https://localhost:3000/users/get/1 (port still being 3000)

i use the app.use('httpsPort', 3001)

Two new options currently being requested:

• 308 Redirect Support
• 403 SSL Required Errors For GET Requests

308 Redirect Support

A 308 Redirect is similar to a permanent redirect, except it is intended for non-GET requests. In addition to permanently redirecting the user, any additional data (i.e. POST data) would also get sent again to the redirected resource. This is still an experimental status code at this time.

This feature would be an opt in. The default behavior of the library would be to 403 Error for any non-GET request. A simple flag enable308 could be set to true in order to turn this behavior on.

403 SSL Required Errors for GET Requests

This feature would also be an opt in. The default behavior of the library would be to 301 Redirect GET requests to the secure location of the resource. Enabling this feature would cause GET requests to behave with the default behavior of any non-GET request and 403 Error. A simple flag of enableRedirects (option name is a work in progress, not exactly happy with it) would default to true. If this is set to false GET requests will return 403 errors if they are not SSL. In addition, if this option is false and enable308 is set to true, 308 redirects WILL NOT work and will 403 Error.

If anyone has any feedback about either of these features I'd be happy to discuss them as their implementation is not yet finalized.

There is some interest in being able to define options on a per route basis instead of just globally on/off behavior. This could possibly require a usage change and major version bump requirement.

When a non-secure request comes through that is not behind a proxy providing 'X-Forwarded-Proto' the following error occurs:

TypeError: Cannot call method 'toLowerCase' of undefined

This header can easily be spoofed and should only be trusted if the programmer configures it explicitly.

Hi!

For some reason I got a "req is undefined" error and I figured out that I needed to change this small part of your code:

exports = module.exports = function(req, res, next){
  if(!isSecure(req)){

to this:

exports = module.exports = function() {
  return function(req, res, next){
    if(!isSecure(req)){

Also, instead of writing:

app.use(forceSSL);

I had to add:

app.use(forceSSL());

I'm not sure if this is a bug or not, but this is the only way forcing SSL works for me. Using Express 5.0.0alpha1

Let me know if you need any other informations.

Best Regards

Is there a reason you use a 301 redirect for GETs and a 403 for everything else instead of just redirecting all methods using a 307 or a 308? It seems to me that it would be a better experience for the user.

http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#3xx_Redirection

I receive this message when trying to use this package with express:

express deprecated res.send(status, body): Use res.status(status).send(body) instead node_modules/express-enforces-ssl/index.js:21:7

You document shows user should use:

app.use( 'httpsPort', 8443);

It should be:

app.set( 'httpsPort', 8443);

I

Hello, I'm interested in this module because I'm writting an application which needs to serve some pages under http protocol and others under https. But I think I've found an issue (maybe it is not an issue, let's see): I've taken your "test/index.js" server file and I've modified it a little, just to try what I want to get. I've added links in lines 29 and 33 of the file:

  /*
   Routes
   */
  app.get('/', function (req, res) {
    res.send('HTTP and HTTPS.' + '<br/><a href="/ssl">To ssl</a>');
  });

  app.get('/ssl', forceSSL, function (req, res) {
    res.send('HTTPS only.' + '<br/><a href="/">To http</a><br/><a href="/ssl/nested/route/5">To nesetd ssl</a>');
  });

As you can see it is done just to redirect from one page to another. Well, when I launch the application, it is opened in http and displays the link to the ssl page. That link works fine and redirects to the https url specified.

But in this page, when I click on "To http" link the server redirects to the home page but using ssl. Is that the expected behavior? I mean, it should redirect to home page but with http protocol, isn't it?

I'm not sure if I've misunderstood something, but for some reason express-force-ssl is not recognizing Heroku's SSL connections. If I set enable301Redirects to false and access through either http or https, then I can the error message. This this to true Google Chrome gives me an error in chrome saying too many redirects were attempted.

Its important to note here that Google Chrome does say that the connection is private and successful. I've included the connection details below.

Any ideas?