Compare commits
	
		
			3 Commits
		
	
	
		
			7375a550eb
			...
			c10a310c20
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| c10a310c20 | |||
| 0e5fff5c4a | |||
| 16251a99b9 | 
							
								
								
									
										97
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										97
									
								
								README.md
									
									
									
									
									
								
							| @ -2,11 +2,11 @@ | ||||
| 
 | ||||
| Secure-by-default redirects from HTTP to HTTPS. | ||||
| 
 | ||||
| * Browsers get a 301 + Location redirect | ||||
| * Only developers, bots, and APIs see security warning (advising to use HTTPS) | ||||
| * Always uses meta redirect as a fallback, for everyone | ||||
| * '/' always gets a 301 (for `curl | bash` installers) | ||||
| * minimally configurable, don't get fancy | ||||
| -   Browsers get a 301 + Location redirect | ||||
| -   Only developers, bots, and APIs see security warning (advising to use HTTPS) | ||||
| -   Always uses meta redirect as a fallback, for everyone | ||||
| -   '/' always gets a 301 (for `curl | bash` installers) | ||||
| -   minimally configurable, don't get fancy | ||||
| 
 | ||||
| See <https://coolaj86.com/articles/secure-your-redirects/> | ||||
| 
 | ||||
| @ -17,14 +17,16 @@ npm install --save redirect-https | ||||
| ``` | ||||
| 
 | ||||
| ```js | ||||
| 'use strict'; | ||||
| "use strict"; | ||||
| 
 | ||||
| var express = require('express'); | ||||
| var express = require("express"); | ||||
| var app = express(); | ||||
| 
 | ||||
| app.use('/', require('redirect-https')({ | ||||
|   body: '<!-- Hello Mr Developer! Please use HTTPS instead -->' | ||||
| })); | ||||
| var redirector = require("redirect-https")({ | ||||
|     body: "<!-- Hello Developer! Please use HTTPS instead: {{ URL }} -->" | ||||
| }); | ||||
| 
 | ||||
| app.use("/", redirector); | ||||
| 
 | ||||
| module.exports = app; | ||||
| ``` | ||||
| @ -40,10 +42,37 @@ module.exports = app; | ||||
| } | ||||
| ``` | ||||
| 
 | ||||
| * This module will call `next()` if the connection is already tls / https. | ||||
| * If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called. | ||||
| * If you use `{{URL}}` in the body text it will be replaced with a URI encoded and HTML escaped url (it'll look just like it is) | ||||
| * If you use `{{HTML_URL}}` in the body text it will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar) | ||||
| -   This module will call `next()` if the connection is already tls / https. | ||||
| -   If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called. | ||||
| -   `{{ URL }}` in the body text will be replaced with a URI encoded and HTML escaped url (it'll look just like it is) | ||||
| -   `{{ HTML_URL }}` in the body text will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar) | ||||
| -   `{{ UNSAFE_URL }}` is the raw, original url | ||||
| 
 | ||||
| ## Demo | ||||
| 
 | ||||
| ```javascript | ||||
| "use strict"; | ||||
| 
 | ||||
| var http = require("http"); | ||||
| var server = http.createServer(); | ||||
| var securePort = process.argv[2] || 8443; | ||||
| var insecurePort = process.argv[3] || 8080; | ||||
| 
 | ||||
| var redirector = require("redirect-https")({ | ||||
|     port: securePort, | ||||
|     body: "<!-- Hello! Please use HTTPS instead: {{ URL }} -->", | ||||
|     trustProxy: true // default is false | ||||
| }); | ||||
| 
 | ||||
| server.on("request", redirector); | ||||
| 
 | ||||
| server.listen(insecurePort, function () { | ||||
|     console.log( | ||||
|         "Listening on http://localhost.rootprojects.org:" + | ||||
|             server.address().port | ||||
|     ); | ||||
| }); | ||||
| ``` | ||||
| 
 | ||||
| ## Advanced Options | ||||
| 
 | ||||
| @ -51,40 +80,16 @@ For the sake of `curl | bash` installers and the like there is also the option t | ||||
| to get a certain redirect for an exact path match: | ||||
| 
 | ||||
| ```js | ||||
| { paths: [ | ||||
|     { match: '/' | ||||
|     , redirect: 301 | ||||
|     } | ||||
|   , { match: /^\/$/ | ||||
|     , redirect: 301 | ||||
|     } | ||||
|   ] | ||||
| { | ||||
|     paths: [ | ||||
|         { match: "/", redirect: 301 }, | ||||
|         { match: /^\/$/, redirect: 301 } | ||||
|     ]; | ||||
| } | ||||
| ``` | ||||
| 
 | ||||
| If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too). | ||||
| 
 | ||||
| ## Demo | ||||
| 
 | ||||
| ```javascript | ||||
| 'use strict'; | ||||
| 
 | ||||
| var http = require('http'); | ||||
| var server = http.createServer(); | ||||
| var securePort = process.argv[2] || 8443; | ||||
| var insecurePort = process.argv[3] || 8080; | ||||
| 
 | ||||
| server.on('request', require('redirect-https')({ | ||||
|   port: securePort | ||||
| , body: '<!-- Hello! Please use HTTPS instead -->' | ||||
| , trustProxy: true // default is false | ||||
| })); | ||||
| 
 | ||||
| server.listen(insecurePort, function () { | ||||
|   console.log('Listening on http://localhost.pplwink.com:' + server.address().port); | ||||
| }); | ||||
| ``` | ||||
| 
 | ||||
| # Meta redirect by default, but why? | ||||
| 
 | ||||
| When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice. | ||||
| @ -108,6 +113,6 @@ If your application is properly separated between static assets and api, then it | ||||
| The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it | ||||
| so that no malicious links of this sort will yield unexpected behavior: | ||||
| 
 | ||||
|   * `http://localhost.pplwink.com:8080/"><script>alert('hi')</script>` | ||||
|   * `http://localhost.pplwink.com:8080/';URL=http://example.com` | ||||
|   * `http://localhost.pplwink.com:8080/;URL=http://example.com` | ||||
| -   `http://localhost.rootprojects.org:8080/"><script>alert('hi')</script>` | ||||
| -   `http://localhost.rootprojects.org:8080/';URL=http://example.com` | ||||
| -   `http://localhost.rootprojects.org:8080/;URL=http://example.com` | ||||
|  | ||||
							
								
								
									
										77
									
								
								index.js
									
									
									
									
									
								
							
							
						
						
									
										77
									
								
								index.js
									
									
									
									
									
								
							| @ -1,7 +1,7 @@ | ||||
| 'use strict'; | ||||
| "use strict"; | ||||
| 
 | ||||
| module.exports = function (opts) { | ||||
|   var escapeHtml = require('escape-html'); | ||||
|     var escapeHtml = require("escape-html"); | ||||
| 
 | ||||
|     if (!opts) { | ||||
|         opts = {}; | ||||
| @ -13,40 +13,41 @@ module.exports = function (opts) { | ||||
|         opts.browsers = 301; | ||||
|     } | ||||
|     if (!opts.apis) { | ||||
|     opts.apis = 'meta'; | ||||
|         opts.apis = "meta"; | ||||
|     } | ||||
|     if (!Array.isArray(opts.paths)) { | ||||
|     opts.paths = [ { match: '/' } ]; | ||||
|         opts.paths = [{ match: "/" }]; | ||||
|     } | ||||
|   if (!('body' in opts)) { | ||||
|     opts.body = "<!-- Hello Developer Person! We don't serve insecure resources around here." | ||||
|       + "\n    Please use HTTPS instead. -->"; | ||||
|     if (!("body" in opts)) { | ||||
|         opts.body = | ||||
|             "<!-- Hello Developer Person! We don't serve insecure resources around here." + | ||||
|             "\n    Please use HTTPS instead. -->"; | ||||
|     } | ||||
|   opts.body = opts.body.replace(/{{\s+PORT\s+}}/ig, opts.port); | ||||
|     opts.body = opts.body.replace(/{{\s+PORT\s+}}/gi, opts.port); | ||||
| 
 | ||||
|     return function (req, res, next) { | ||||
|     if (req.connection.encrypted | ||||
|       || 'https' === req.protocol | ||||
|       || (opts.trustProxy && 'https' === req.headers['x-forwarded-proto']) | ||||
|         if ( | ||||
|             req.connection.encrypted || | ||||
|             "https" === req.protocol || | ||||
|             (opts.trustProxy && "https" === req.headers["x-forwarded-proto"]) | ||||
|         ) { | ||||
|             next(); | ||||
|             return; | ||||
|         } | ||||
| 
 | ||||
|     var url = (req.originalUrl || req.url); | ||||
|         var url = req.originalUrl || req.url; | ||||
|         // We don't want chrome showing the "Not Secure" badge during the redirect.
 | ||||
|     var probablyBrowser = (0 === (req.headers['user-agent']||'').indexOf('Mozilla/')); | ||||
|         var probablyBrowser = | ||||
|             0 === (req.headers["user-agent"] || "").indexOf("Mozilla/"); | ||||
|         // But we don't want devs, APIs, or Bots to accidentally browse insecure.
 | ||||
|         var redirect = probablyBrowser ? opts.browsers : opts.apis; | ||||
|     var host = req.headers.host || ''; | ||||
|         var host = req.headers.host || ""; | ||||
|         if (!/:\d+/.test(host) && 443 !== opts.port) { | ||||
|             // we are using standard port 80, but we aren't using standard port 443
 | ||||
| 			host += ':80'; | ||||
|             host += ":80"; | ||||
|         } | ||||
|     var newLocation = 'https://' | ||||
|       + host.replace(/:\d+/, ':' + opts.port) + url | ||||
|       ; | ||||
| 
 | ||||
|         var newLocation = | ||||
|             "https://" + host.replace(/:\d+/, ":" + opts.port) + url; | ||||
|         //var encodedLocation = encodeURI(newLocation);
 | ||||
|         var escapedLocation = escapeHtml(newLocation); | ||||
|         var decodedLocation; | ||||
| @ -57,29 +58,29 @@ module.exports = function (opts) { | ||||
|         } | ||||
| 
 | ||||
|         var body = opts.body | ||||
|           .replace(/{{\s*HTML_URL\s*}}/ig, escapeHtml(decodedLocation)) | ||||
|           .replace(/{{\s*URL\s*}}/ig, escapedLocation) | ||||
|           .replace(/{{\s*UNSAFE_URL\s*}}/ig, newLocation) | ||||
|           ; | ||||
| 
 | ||||
|     var metaRedirect = '' | ||||
|       + '<html>\n' | ||||
|       + '<head>\n' | ||||
|       //+ '  <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
 | ||||
|       + '  <META http-equiv="refresh" content="0;URL=\'' + escapedLocation + '\'">\n' | ||||
|       + '</head>\n' | ||||
|       + '<body>\n' + body + '\n</body>\n' | ||||
|       + '</html>\n' | ||||
|       ; | ||||
|             .replace(/{{\s*HTML_URL\s*}}/gi, escapeHtml(decodedLocation)) | ||||
|             .replace(/{{\s*URL\s*}}/gi, escapedLocation) | ||||
|             .replace(/{{\s*UNSAFE_URL\s*}}/gi, newLocation); | ||||
|         var metaRedirect = | ||||
|             "" + | ||||
|             "<html>" + | ||||
|             '\n<head><META http-equiv="refresh" content="0;URL=\'' + | ||||
|             escapedLocation + | ||||
|             "'\"></head>" + | ||||
|             "\n<body>" + | ||||
|             body + | ||||
|             "</body>" + | ||||
|             "\n</html>\n"; | ||||
|         var pathMatch; | ||||
| 
 | ||||
|         opts.paths.some(function (p) { | ||||
|             if (!p.match) { | ||||
|                 // ignore
 | ||||
|       } else if ('string' === typeof p.match) { | ||||
|         pathMatch = (url === p.match) && (p.redirect || 301); | ||||
|             } else if ("string" === typeof p.match) { | ||||
|                 pathMatch = url === p.match && (p.redirect || 301); | ||||
|             } else { | ||||
|         pathMatch = p.match.test && p.match.test(url) && (p.redirect || 301); | ||||
|                 pathMatch = | ||||
|                     p.match.test && p.match.test(url) && (p.redirect || 301); | ||||
|             } | ||||
|             if (pathMatch) { | ||||
|                 redirect = pathMatch; | ||||
| @ -89,9 +90,9 @@ module.exports = function (opts) { | ||||
|         // If it's not a non-0 number (because null is 0) then 'meta' is assumed.
 | ||||
|         if (redirect && isFinite(redirect)) { | ||||
|             res.statusCode = redirect; | ||||
|       res.setHeader('Location', newLocation); | ||||
|             res.setHeader("Location", newLocation); | ||||
|         } | ||||
|     res.setHeader('Content-Type', 'text/html; charset=utf-8'); | ||||
|         res.setHeader("Content-Type", "text/html; charset=utf-8"); | ||||
|         res.end(metaRedirect); | ||||
|     }; | ||||
| }; | ||||
|  | ||||
							
								
								
									
										13
									
								
								package-lock.json
									
									
									
										generated
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								package-lock.json
									
									
									
										generated
									
									
									
										Normal file
									
								
							| @ -0,0 +1,13 @@ | ||||
| { | ||||
|   "name": "redirect-https", | ||||
|   "version": "1.3.1", | ||||
|   "lockfileVersion": 1, | ||||
|   "requires": true, | ||||
|   "dependencies": { | ||||
|     "escape-html": { | ||||
|       "version": "1.0.3", | ||||
|       "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz", | ||||
|       "integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg=" | ||||
|     } | ||||
|   } | ||||
| } | ||||
| @ -1,6 +1,6 @@ | ||||
| { | ||||
|   "name": "redirect-https", | ||||
|   "version": "1.3.0", | ||||
|   "version": "1.3.1", | ||||
|   "description": "Redirect from HTTP to HTTPS using meta redirects", | ||||
|   "main": "index.js", | ||||
|   "scripts": { | ||||
| @ -8,7 +8,7 @@ | ||||
|   }, | ||||
|   "repository": { | ||||
|     "type": "git", | ||||
|     "url": "git+https://git.coolaj86.com/coolaj86/redirect-https.js.git" | ||||
|     "url": "https://git.coolaj86.com/coolaj86/redirect-https.js.git" | ||||
|   }, | ||||
|   "keywords": [ | ||||
|     "https", | ||||
| @ -27,5 +27,6 @@ | ||||
|   "homepage": "https://git.coolaj86.com/coolaj86/redirect-https.js#readme", | ||||
|   "dependencies": { | ||||
|     "escape-html": "^1.0.3" | ||||
|   } | ||||
|   }, | ||||
|   "devDependencies": {} | ||||
| } | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user