Merge branch 'master' of ssh://git.coolaj86.com:22042/coolaj86/redirect-https.js

README.md

@@ -1,9 +1,12 @@
 # redirect-https.js
 
-Redirect from HTTP to HTTPS.
+Secure-by-default redirects from HTTP to HTTPS.
 
-Makes for a seemless experience to end users in browsers (defaults to `301 Permanent + Location` redirect)
+* Browsers get a 301 + Location redirect
-and tightens security for apis and bots, without adversely affecting strange browsers (fallback to `meta` redirect).
+* Only developers, bots, and APIs see security warning (advising to use HTTPS)
+* Always uses meta redirect as a fallback, for everyone
+* '/' always gets a 301 (for `curl | bash` installers)
+* minimally configurable, don't get fancy
 
 See <https://coolaj86.com/articles/secure-your-redirects/>
 
@@ -28,7 +31,7 @@ module.exports = app;
 
 ## Options
 
-```
+```js
 { port: 443           // defaults to 443
 , body: ''            // defaults to an html comment to use https
 , trustProxy: true    // useful if you haven't set this option in express
@@ -42,6 +45,25 @@ module.exports = app;
 * If you use `{{URL}}` in the body text it will be replaced with a URI encoded and HTML escaped url (it'll look just like it is)
 * If you use `{{HTML_URL}}` in the body text it will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar)
 
+## Advanced Options
+
+For the sake of `curl | bash` installers and the like there is also the option to cause bots and apis (i.e. curl)
+to get a certain redirect for an exact path match:
+
+```js
+{ paths: [
+    { match: '/'
+    , redirect: 301
+    }
+  , { match: /^\/$/
+    , redirect: 301
+    }
+  ]
+}
+```
+
+If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too).
+
 ## Demo
 
 ```javascript

index.js

@@ -15,6 +15,9 @@ module.exports = function (opts) {
   if (!opts.apis) {
     opts.apis = 'meta';
   }
+  if (!Array.isArray(opts.paths)) {
+    opts.paths = [ { match: '/' } ];
+  }
   if (!('body' in opts)) {
     opts.body = "<!-- Hello Developer Person! We don't serve insecure resources around here."
       + "\n    Please use HTTPS instead. -->";
@@ -68,7 +71,21 @@ module.exports = function (opts) {
       + '<body>\n' + body + '\n</body>\n'
       + '</html>\n'
       ;
+    var pathMatch;
 
+    opts.paths.some(function (p) {
+      if (!p.match) {
+        // ignore
+      } else if ('string' === typeof p.match) {
+        pathMatch = (url === p.match) && (p.redirect || 301);
+      } else {
+        pathMatch = p.match.test && p.match.test(url) && (p.redirect || 301);
+      }
+      if (pathMatch) {
+        redirect = pathMatch;
+      }
+      return pathMatch;
+    });
     // If it's not a non-0 number (because null is 0) then 'meta' is assumed.
     if (redirect && isFinite(redirect)) {
       res.statusCode = redirect;

package.json

@@ -1,6 +1,6 @@
 {
   "name": "redirect-https",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Redirect from HTTP to HTTPS using meta redirects",
   "main": "index.js",
   "scripts": {