Node/Express - Always add https in front of URL

Question

I have an application running on Heroku and I'm trying to ensure that the URL always have the https://, even when the user does not provide it.

With the following configuration, I could make it replace http:// for https:// when the user provide http://example.com on the URL. But still doesn't work when the user does not provide http:// (when he provide only example.com):

var express = require('express');
var path = require('path');
var serveStatic = require('serve-static');

var forceSsl = function (req, res, next) {
  if (req.headers['x-forwarded-proto'] !== 'https') {
    return res.redirect(['https://', req.get('Host'), req.url].join(''));
  }
  return next();
};

app = express();
app.use(serveStatic(__dirname));

if(process.env.NODE_ENV === 'production') {
  app.use(forceSsl);
}

var port = process.env.PORT || 5000;
app.listen(port);

app.all('/*', function(req, res) {
  res.sendfile('index.html');
});

console.log('server started '+ port);

How could I achieve that?

EDIT

I'm not having issues with configuring SSL. It's working fine when the user does provide http:// or https:// prefix on the URL. The problem is when the user does not provide this prefix. In this case, the browser does not prepend http:// neither https:// automatically, and then the SSL doesn't apply.

does this link help https://stackoverflow.com/questions/7450940/automatic-https-connection-redirect-with-node-js-express — arodjabel, Jul 20 '17 at 18:35
URLs _always_ include a protocol. If you type `example.com`, the browser will prepend `http://`. What exactly is happening? What redirects do you see? — SLaks, Jul 20 '17 at 18:35
This link should help with setting up your ssl with express. https://stackoverflow.com/questions/8605720/how-to-force-ssl-https-in-express-js — SimplyComplexable, Jul 20 '17 at 18:38
SSL is already working. The problem is that it doesn't redirect to https when the user does not explicitly provide an http:// or https:// prefix on the URL. It works fine when the user does provide these prefixes, but not when it doesn't provide any prefix. — felipeecst, Jul 20 '17 at 18:47

score 0 · Answer 1 · answered Jul 20 '17 at 18:39

0

This is a utility made specifically for node on heroku to redirect traffic to https.

answered Jul 20 '17 at 18:39

SimplyComplexable

1,116
11
19

I checked the source code and it does exactly what I'm doing. I'm not having issues with configuring SSL. It's working fine when the user does provide http:// or https:// prefix on the URL. The problem is when the user does not provide this prefix. In this case, the browser does not prepend http:// neither https:// automatically, and then the SSL doesn't apply. – felipeecst Jul 20 '17 at 18:51
@felipeecst no browsers appended http:// when nothing is provided or use cache to determine if it needs to be https:// just because you do not see http:// in the url address does not mean it's not there. – Darkrum Jul 21 '17 at 04:55
Ok, but in this case (when I do not provide http://) the redirection doesn't work and the page is marked as insecure. When I explicitly prepend http:// it is redirected to https:// and everything works fine. – felipeecst Jul 21 '17 at 10:47

Node/Express - Always add https in front of URL

1 Answers1