Reputation: 173
HTTPS redirection for all routes node.js/express - Security concerns
I recently took a stab at setting up HTTPS on a node/express server. I have successfully managed to redirect all the routes to use https using the code below:
// force https redirect
var https_redirect = function(req, res, next) {
if (req.secure) {
if(env === 'development') {
return res.redirect('https://localhost:3000' + req.url);
} else {
return res.redirect('https://' + req.headers.host + req.url);
}
} else {
return next();
}
};
app.get('*', function(req, res, next) {
https_redirect(req, res, next);
});
This seems to be working fine. However, since I havent' dabbled into this before I have a couple of questions:
- Is this the ideal way to redirect from http to https?
- If a user uses the http route, prior to the redirect is it possible for anyone to use something like sslstrip to sniff out session info.
node: v0.8.2 ; express: v3.05
Upvotes: 17
Views: 15806
Answers (3)
Reputation: 5512
I use this simple code to redirect requests depending on whether the application is in development or production.
// force https redirect
var forceHTTPS = function () {
return function(req, res, next) {
if (!req.secure) {
if (app.get('env') === 'development') {
return res.redirect('https://localhost:3001' + req.url);
} else {
return res.redirect('https://' + req.headers.host + req.url);
}
} else {
return next();
}
};
};
Upvotes: 0
Reputation: 146174
function requireHTTPS(req, res, next) {
if (!req.secure) {
//FYI this should work for local development as well
return res.redirect('https://' + req.get('host') + req.url);
}
next();
}
app.use(requireHTTPS);
app.get('/', routeHandlerHome);
The middleware approach will work because express will run the middleware in the order added, before it runs the router, and in general this kind of site-wide policy is cleaner as middleware vs. a wildcard route.
Regarding question 2 about sniffing session cookies, that must be addressed by marking the cookies as secure when you set them. If they haven't been marked secure, the browser will transmit them with HTTP requests as well, thus exposing them to sniffing.
Upvotes: 43
Reputation: 3233
You can simply use your https_redirect function (though a bit modified) as a to automatically redirect all of your secure requests:
// force https redirect
var https_redirect = function () {
return function(req, res, next) {
if (req.secure) {
if(env === 'development') {
return res.redirect('https://localhost:3000' + req.url);
} else {
return res.redirect('https://' + req.headers.host + req.url);
}
} else {
return next();
}
};
};
app.use(https_redirect());
app.get('/', routeHandlerHome);
Upvotes: 2
Related Questions
- Automatic HTTPS connection/redirect with node.js/express
- redirect HTTP to HTTPS using express
- express 4.x redirect http to https
- Redirect from HTTP to HTTPS using node.js/Express
- How do I enable all my routes to have https and force http to https?
- Redirect http to https express.js
- Express 4 – Redirect HTTP to HTTPS For All Routes
- How to force SSL / https in Express.js
- How to use routes from Express for HTTPS?
- Forward everything over SSL in an Express.js App