2

I am trying to redirect my http page to https, I found some discussion already there in stackoverflow How to force SSL / https in Express.js. But now http = express.createServer() has become deprecated. So I was trying to do as below:

var http = require("http")
  , https = require("https");

var app = express();

/* If I use below it gives ECONNREFUSED error */
http.get('*', function(req, res) {
  var path = req.headers.host;
  var pos = path.indexOf(':');
  res.redirect('https://' + path.substr(0, pos) + ':' + String(app.get('port')));
});

app.get('/', function(req, res) {
 //Something 
});

https.createServer(options, app).listen(8000, function(){
  console.log("In Https");
});

http.createServer(app).listen(9000, function() {
  console.log("In http");
});

Can you please let me know why this error comes here? (ECONNREFUSED) What I should modify to get it worked, http redirect to https?

Regards, -M-

Community
  • 1
  • 1
u_peerless
  • 644
  • 2
  • 9
  • 23
  • `http.get(*, function(req, res) {` is a syntax error. You can't just have a `*` there. – ThiefMaster Dec 03 '12 at 01:16
  • 1
    You are going about this in a very insecure way. The redirect to HTTPS is over HTTP, so you have already spilled everything and the response can be hijacked with sslstrip. Total and complete failure. – rook Dec 03 '12 at 02:18
  • Thanks ThiefMaster. I have corrected the syntax. Rook, can you provide me some good solution to achieve this which I was looking for? Or can point me somewhere where I can get the idea. – u_peerless Dec 03 '12 at 04:32
  • Stripe recently addressed this issue. If you connect to their API via HTTP by accident, they accept the request, invalidate your API token, and then push you back an error. I think this is a great approach - the problem is that once a user has exposed their token over HTTP, security cannot be guaranteed. – Ben Gotow Jul 01 '13 at 07:20
  • Note that if you have no important data in the url and set the users' cookie to secure (meaning that they will only be translated over SSL), security is not compromised. – Xerri Feb 03 '14 at 22:37

0 Answers0