Compare commits
	
		
			2 Commits
		
	
	
		
			2b7805c87b
			...
			7375a550eb
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 7375a550eb | |||
| fd044d6467 | 
							
								
								
									
										30
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										30
									
								
								README.md
									
									
									
									
									
								
							| @ -1,9 +1,12 @@ | ||||
| # redirect-https.js | ||||
| 
 | ||||
| Redirect from HTTP to HTTPS. | ||||
| Secure-by-default redirects from HTTP to HTTPS. | ||||
| 
 | ||||
| Makes for a seemless experience to end users in browsers (defaults to `301 Permanent + Location` redirect) | ||||
| and tightens security for apis and bots, without adversely affecting strange browsers (fallback to `meta` redirect). | ||||
| * Browsers get a 301 + Location redirect | ||||
| * Only developers, bots, and APIs see security warning (advising to use HTTPS) | ||||
| * Always uses meta redirect as a fallback, for everyone | ||||
| * '/' always gets a 301 (for `curl | bash` installers) | ||||
| * minimally configurable, don't get fancy | ||||
| 
 | ||||
| See <https://coolaj86.com/articles/secure-your-redirects/> | ||||
| 
 | ||||
| @ -28,7 +31,7 @@ module.exports = app; | ||||
| 
 | ||||
| ## Options | ||||
| 
 | ||||
| ``` | ||||
| ```js | ||||
| { port: 443           // defaults to 443 | ||||
| , body: ''            // defaults to an html comment to use https | ||||
| , trustProxy: true    // useful if you haven't set this option in express | ||||
| @ -42,6 +45,25 @@ module.exports = app; | ||||
| * If you use `{{URL}}` in the body text it will be replaced with a URI encoded and HTML escaped url (it'll look just like it is) | ||||
| * If you use `{{HTML_URL}}` in the body text it will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar) | ||||
| 
 | ||||
| ## Advanced Options | ||||
| 
 | ||||
| For the sake of `curl | bash` installers and the like there is also the option to cause bots and apis (i.e. curl) | ||||
| to get a certain redirect for an exact path match: | ||||
| 
 | ||||
| ```js | ||||
| { paths: [ | ||||
|     { match: '/' | ||||
|     , redirect: 301 | ||||
|     } | ||||
|   , { match: /^\/$/ | ||||
|     , redirect: 301 | ||||
|     } | ||||
|   ] | ||||
| } | ||||
| ``` | ||||
| 
 | ||||
| If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too). | ||||
| 
 | ||||
| ## Demo | ||||
| 
 | ||||
| ```javascript | ||||
|  | ||||
							
								
								
									
										17
									
								
								index.js
									
									
									
									
									
								
							
							
						
						
									
										17
									
								
								index.js
									
									
									
									
									
								
							| @ -15,6 +15,9 @@ module.exports = function (opts) { | ||||
|   if (!opts.apis) { | ||||
|     opts.apis = 'meta'; | ||||
|   } | ||||
|   if (!Array.isArray(opts.paths)) { | ||||
|     opts.paths = [ { match: '/' } ]; | ||||
|   } | ||||
|   if (!('body' in opts)) { | ||||
|     opts.body = "<!-- Hello Developer Person! We don't serve insecure resources around here." | ||||
|       + "\n    Please use HTTPS instead. -->"; | ||||
| @ -68,7 +71,21 @@ module.exports = function (opts) { | ||||
|       + '<body>\n' + body + '\n</body>\n' | ||||
|       + '</html>\n' | ||||
|       ; | ||||
|     var pathMatch; | ||||
| 
 | ||||
|     opts.paths.some(function (p) { | ||||
|       if (!p.match) { | ||||
|         // ignore
 | ||||
|       } else if ('string' === typeof p.match) { | ||||
|         pathMatch = (url === p.match) && (p.redirect || 301); | ||||
|       } else { | ||||
|         pathMatch = p.match.test && p.match.test(url) && (p.redirect || 301); | ||||
|       } | ||||
|       if (pathMatch) { | ||||
|         redirect = pathMatch; | ||||
|       } | ||||
|       return pathMatch; | ||||
|     }); | ||||
|     // If it's not a non-0 number (because null is 0) then 'meta' is assumed.
 | ||||
|     if (redirect && isFinite(redirect)) { | ||||
|       res.statusCode = redirect; | ||||
|  | ||||
| @ -1,6 +1,6 @@ | ||||
| { | ||||
|   "name": "redirect-https", | ||||
|   "version": "1.2.0", | ||||
|   "version": "1.3.0", | ||||
|   "description": "Redirect from HTTP to HTTPS using meta redirects", | ||||
|   "main": "index.js", | ||||
|   "scripts": { | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user