Skip to content

An express middleware that redirects unencrypted HTTP requests to HTTPS

License

Notifications You must be signed in to change notification settings

paulohp/force-ssl-heroku

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 

Repository files navigation

force-ssl-heroku

An express middleware that redirects unencrypted HTTP requests to HTTPS on Heroku instances.

Heroku does SSL termination at its load balancer. However, the internal nodeJS app can tell if the original request was made with HTTP by inspecting headers inserted by Heroku. We can use this to redirect to the HTTPS Heroku url.

Installation

npm install force-ssl-heroku --save

Usage

It's designed for use with express:

var express = require('express');
var forceSsl = require('force-ssl-heroku');

var app = express();
app.use(forceSsl);

// Example:
app.get('/ping', pingHandler); // I'll now redirect to HTTPS.

// ... configure the rest of your routes.

app.listen(3000, 'localhost');

Caveat

It works because Heroku exposes your app through a reverse proxy which is used for load-balancing and other things. This reverse proxy does SSL termination and forwards to your app which should only accept connections from localhost. The middleware detects this situation by inspecting headers inserted by Heroku's reverse proxy; since headers can be spoofed, you should not use this middleware anywhere that's not behind such a proxy!

About

An express middleware that redirects unencrypted HTTP requests to HTTPS

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published