yes-https is a happy little npm module that makes it easy to require https for your connect based application.
It does this two ways:
- Setting the
Strict-Transport-SecurityHTTP header. Learn more at OWASP. - Automatically sending an HTTP 301 for the first request. This is often overlooked, as HSTS only works after the browser hits the https endpoint the first time.
npm install yes-https
import yes from 'yes-https';
import express from 'express';
let app = express();
// Use the yes-https connect middleware. Note - this will only work if NODE_ENV is set to production.
app.use(yes());
app.get('/', (req, res) => {
res.end('Thanks for checking it out!');
});
const server = app.listen(process.env.PORT || 3000, () => {
console.log('App listening on port %s', server.address().port);
console.log('Press Ctrl+C to quit.');
});You can also set a few settings with the middleware to control the header:
app.use(yes({
maxAge: 86400, // defaults `86400`
includeSubdomains: true, // defaults `true`
preload: true // defaults `true`
}));In some cases, you may want to ignore a request and not force the redirect. You can use the ignoreFilter option to opt out of redirects on a case by case basis. This is useful if you want to ignore a specific route:
app.use(yes({
ignoreFilter: (req) => {
return (req.url.indexOf('/_ah/health') > -1);
}
}));Pull requests welcomed!