Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
follow-redirects
Advanced tools
The follow-redirects npm package is a drop-in replacement for Node.js' native http and https modules that automatically follows HTTP(S) redirects. It provides an easy way to make HTTP(S) requests without having to manually handle redirection logic.
HTTP/HTTPS request with automatic redirection
This code demonstrates how to make a simple HTTP GET request that automatically follows redirects using the follow-redirects package.
const http = require('follow-redirects').http;
http.get('http://example.com', (response) => {
response.on('data', (chunk) => {
console.log(chunk.toString());
});
}).on('error', (err) => {
console.error(err);
});
Customizing redirect options
This code snippet shows how to customize the behavior of follow-redirects by setting the maximum number of redirects to follow and adding a hook to log the URL before redirecting.
const https = require('follow-redirects').https;
const options = {
maxRedirects: 10,
beforeRedirect: (options, { headers }) => {
console.log(`Redirecting to: ${options.hostname}${options.path}`);
}
};
https.get('https://example.com', options, (response) => {
// Handle response
}).on('error', (err) => {
console.error(err);
});
Streaming response data
This example demonstrates how to stream data from an HTTP GET request to a file, which is useful for downloading files while following redirects.
const http = require('follow-redirects').http;
const fs = require('fs');
const file = fs.createWriteStream('downloaded_file.txt');
http.get('http://example.com/file', (response) => {
response.pipe(file);
}).on('error', (err) => {
console.error(err);
});
Axios is a promise-based HTTP client for the browser and Node.js that supports automatic redirection. It provides a more feature-rich API compared to follow-redirects, including interceptors, request cancellation, and protection against XSRF.
Request is a simplified HTTP request client that supports redirection by default. It is no longer maintained, but it was once a popular choice for making HTTP requests in Node.js. It offered a higher-level API with convenience methods and support for forms and multipart file uploads.
Got is a human-friendly and powerful HTTP request library for Node.js. It handles redirections by default and provides a wide range of options for customization, retries, streams, and more. It is designed to be a more modern and feature-rich alternative to other HTTP request libraries.
Node-fetch is a light-weight module that brings the Fetch API to Node.js. It follows redirects by default and aims to provide a consistent API with the browser's fetch function. It is a good choice for those who prefer the Fetch API's promise-based syntax.
Drop-in replacement for Node's http
and https
modules that automatically follows redirects.
follow-redirects
provides request and get
methods that behave identically to those found on the native http and https
modules, with the exception that they will seamlessly follow redirects.
const { http, https } = require('follow-redirects');
http.get('http://bit.ly/900913', response => {
response.on('data', chunk => {
console.log(chunk);
});
}).on('error', err => {
console.error(err);
});
You can inspect the final redirected URL through the responseUrl
property on the response
.
If no redirection happened, responseUrl
is the original request URL.
const request = https.request({
host: 'bitly.com',
path: '/UHfDGO',
}, response => {
console.log(response.responseUrl);
// 'http://duckduckgo.com/robots.txt'
});
request.end();
Global options are set directly on the follow-redirects
module:
const followRedirects = require('follow-redirects');
followRedirects.maxRedirects = 10;
followRedirects.maxBodyLength = 20 * 1024 * 1024; // 20 MB
The following global options are supported:
maxRedirects
(default: 21
) – sets the maximum number of allowed redirects; if exceeded, an error will be emitted.
maxBodyLength
(default: 10MB) – sets the maximum size of the request body; if exceeded, an error will be emitted.
Per-request options are set by passing an options
object:
const url = require('url');
const { http, https } = require('follow-redirects');
const options = url.parse('http://bit.ly/900913');
options.maxRedirects = 10;
options.beforeRedirect = (options, response, request) => {
// Use this to adjust the request options upon redirecting,
// to inspect the latest response headers,
// or to cancel the request by throwing an error
// response.headers = the redirect response headers
// response.statusCode = the redirect response code (eg. 301, 307, etc.)
// request.url = the requested URL that resulted in a redirect
// request.headers = the headers in the request that resulted in a redirect
// request.method = the method of the request that resulted in a redirect
if (options.hostname === "example.com") {
options.auth = "user:password";
}
};
http.request(options);
In addition to the standard HTTP and HTTPS options, the following per-request options are supported:
followRedirects
(default: true
) – whether redirects should be followed.
maxRedirects
(default: 21
) – sets the maximum number of allowed redirects; if exceeded, an error will be emitted.
maxBodyLength
(default: 10MB) – sets the maximum size of the request body; if exceeded, an error will be emitted.
beforeRedirect
(default: undefined
) – optionally change the request options
on redirects, or abort the request by throwing an error.
agents
(default: undefined
) – sets the agent
option per protocol, since HTTP and HTTPS use different agents. Example value: { http: new http.Agent(), https: new https.Agent() }
trackRedirects
(default: false
) – whether to store the redirected response details into the redirects
array on the response object.
By default, follow-redirects
will use the Node.js default implementations
of http
and https
.
To enable features such as caching and/or intermediate request tracking,
you might instead want to wrap follow-redirects
around custom protocol implementations:
const { http, https } = require('follow-redirects').wrap({
http: require('your-custom-http'),
https: require('your-custom-https'),
});
Such custom protocols only need an implementation of the request
method.
Due to the way the browser works,
the http
and https
browser equivalents perform redirects by default.
By requiring follow-redirects
this way:
const http = require('follow-redirects/http');
const https = require('follow-redirects/https');
you can easily tell webpack and friends to replace
follow-redirect
by the built-in versions:
{
"follow-redirects/http" : "http",
"follow-redirects/https" : "https"
}
Pull Requests are always welcome. Please file an issue
detailing your proposal before you invest your valuable time. Additional features and bug fixes should be accompanied
by tests. You can run the test suite locally with a simple npm test
command.
follow-redirects
uses the excellent debug for logging. To turn on logging
set the environment variable DEBUG=follow-redirects
for debug output from just this module. When running the test
suite it is sometimes advantageous to set DEBUG=*
to see output from the express server as well.
FAQs
HTTP and HTTPS modules that follow redirects.
We found that follow-redirects demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.