redirect-https
Advanced tools
Secure-by-default redirects from HTTP to HTTPS.
curl | bash installers)See https://coolaj86.com/articles/secure-your-redirects/
npm install --save redirect-https
"use strict";
var express = require("express");
var app = express();
var redirector = require("redirect-https")({
body: "<!-- Hello Developer! Please use HTTPS instead: {{ URL }} -->"
});
app.use("/", redirector);
module.exports = app;
{ port: 443 // defaults to 443
, body: '' // defaults to an html comment to use https
, trustProxy: true // useful if you haven't set this option in express
, browsers: 301 // issue 301 redirect if the user-agent contains "Mozilla/"
, apis: 'meta' // issue meta redirects to non-browsers
}
next() if the connection is already tls / https.trustProxy is true, and X-Forward-Proto is https, next() will be called.{{ URL }} in the body text will be replaced with a URI encoded and HTML escaped url (it'll look just like it is){{ HTML_URL }} in the body text will be replaced with a URI decoded and HTML escaped url (it'll look just like it would in Chrome's URL bar){{ UNSAFE_URL }} is the raw, original url"use strict";
var http = require("http");
var server = http.createServer();
var securePort = process.argv[2] || 8443;
var insecurePort = process.argv[3] || 8080;
var redirector = require("redirect-https")({
port: securePort,
body: "<!-- Hello! Please use HTTPS instead: {{ URL }} -->",
trustProxy: true // default is false
});
server.on("request", redirector);
server.listen(insecurePort, function () {
console.log(
"Listening on http://localhost.rootprojects.org:" +
server.address().port
);
});
For the sake of curl | bash installers and the like there is also the option to cause bots and apis (i.e. curl)
to get a certain redirect for an exact path match:
{
paths: [
{ match: "/", redirect: 301 },
{ match: /^\/$/, redirect: 301 }
];
}
If you're using this, you're probably getting too fancy (but hey, I get too fancy sometimes too).
When something is broken (i.e. insecure), you don't want it to kinda work, you want developers to notice.
Using a meta redirect will break requests from curl and api calls from a programming language, but still have all the SEO and speed benefits of a normal 301.
<html><head>
<meta http-equiv="refresh" content="0;URL='https://example.com/foo'" />
</head><body>
<!-- Hello Mr. Developer! Please use https instead. Thank you! -->
</html>
If your application is properly separated between static assets and api, then it would probably be more beneficial to return a 200 OK with an error message inside
The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it so that no malicious links of this sort will yield unexpected behavior:
http://localhost.rootprojects.org:8080/"><script>alert('hi')</script>http://localhost.rootprojects.org:8080/';URL=http://example.comhttp://localhost.rootprojects.org:8080/;URL=http://example.comFAQs
Redirect from HTTP to HTTPS using meta redirects
The npm package redirect-https receives a total of 7,978 weekly downloads. As such, redirect-https popularity was classified as popular.
We found that redirect-https demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
New research reveals that LLMs often fake understanding, passing benchmarks but failing to apply concepts or stay internally consistent.
Security News
Django has updated its security policies to reject AI-generated vulnerability reports that include fabricated or unverifiable content.
Security News
ECMAScript 2025 introduces Iterator Helpers, Set methods, JSON modules, and more in its latest spec update approved by Ecma in June 2025.