coolaj86/redirect-https.js
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: coolaj86:7375a550eb936814a17f1db154a315579b28afad
Branches Tags
coolaj86:master
coolaj86:v1.3.1
coolaj86:v1.3.0
coolaj86:v1.1.6
coolaj86:v1.1.5
coolaj86:v1.1.1
coolaj86:v1.1.0
coolaj86:v1.0.0
..
compare: coolaj86:2b7805c87b4a2854be9bb55b02ebe52835059228
Branches Tags
coolaj86:master
coolaj86:v1.3.1
coolaj86:v1.3.0
coolaj86:v1.1.6
coolaj86:v1.1.5
coolaj86:v1.1.1
coolaj86:v1.1.0
coolaj86:v1.0.0

No commits in common. "7375a550eb936814a17f1db154a315579b28afad" and "2b7805c87b4a2854be9bb55b02ebe52835059228" have entirely different histories.
7375a550eb ... 2b7805c87b

3 changed files with 5 additions and 44 deletions
Show Stats Expand all files Collapse all files

30
README.md
View File

@ -1,12 +1,9 @@
# redirect-https.js
Secure-by-default redirects from HTTP to HTTPS.
Redirect from HTTP to HTTPS.
* Browsers get a 301 + Location redirect
* Only developers, bots, and APIs see security warning (advising to use HTTPS)
* Always uses meta redirect as a fallback, for everyone
* '/' always gets a 301 (for `curl | bash` installers)
* minimally configurable, don't get fancy
Makes for a seemless experience to end users in browsers (defaults to `301 Permanent + Location` redirect)
and tightens security for apis and bots, without adversely affecting strange browsers (fallback to `meta` redirect).
See <https://coolaj86.com/articles/secure-your-redirects/>
@ -31,7 +28,7 @@ module.exports = app;
## Options
```js
```
{ port: 443 // defaults to 443
, body: '' // defaults to an html comment to use https
, trustProxy: true // useful if you haven't set this option in express
@ -45,25 +42,6 @@ module.exports = app;
* If you use `{{URL}}` in the body text it will be replaced with a URI encoded and HTML escaped url (it'll look just like it is)
* If you use `{{HTML_URL}}` in the body text it will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar)
## Advanced Options
For the sake of `curl | bash` installers and the like there is also the option to cause bots and apis (i.e. curl)
to get a certain redirect for an exact path match:
```js
{ paths: [
{ match: '/'
, redirect: 301
}
, { match: /^\/$/
, redirect: 301
}
]
}
```
If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too).
## Demo
```javascript

17
index.js
View File

@ -15,9 +15,6 @@ module.exports = function (opts) {
if (!opts.apis) {
opts.apis = 'meta';
}
if (!Array.isArray(opts.paths)) {
opts.paths = [ { match: '/' } ];
}
if (!('body' in opts)) {
opts.body = "<!-- Hello Developer Person! We don't serve insecure resources around here."
+ "\n Please use HTTPS instead. -->";
@ -71,21 +68,7 @@ module.exports = function (opts) {
+ '<body>\n' + body + '\n</body>\n'
+ '</html>\n'
;
var pathMatch;
opts.paths.some(function (p) {
if (!p.match) {
// ignore
} else if ('string' === typeof p.match) {
pathMatch = (url === p.match) && (p.redirect || 301);
} else {
pathMatch = p.match.test && p.match.test(url) && (p.redirect || 301);
}
if (pathMatch) {
redirect = pathMatch;
}
return pathMatch;
});
// If it's not a non-0 number (because null is 0) then 'meta' is assumed.
if (redirect && isFinite(redirect)) {
res.statusCode = redirect;

2
package.json
View File

@ -1,6 +1,6 @@
{
"name": "redirect-https",
"version": "1.3.0",
"version": "1.2.0",
"description": "Redirect from HTTP to HTTPS using meta redirects",
"main": "index.js",
"scripts": {