Force SSL on production #188
Conversation
|
Should it be a config setting so people can turn off if it breaks for them? |
|
Yes, just adding that now. |
| @@ -13,6 +13,9 @@ module.exports = { | |||
| // Enable or disable password protection on production | |||
| useAuth: 'true', | |||
|
|
|||
| // Enable or disable HTTPs / SSL on production | |||
There was a problem hiding this comment.
dont think this is accurate - the code doesnt enable or disable HTTPS, it toggles a redirect
| @@ -95,3 +95,11 @@ exports.findAvailablePort = function(app){ | |||
| }); | |||
|
|
|||
| } | |||
|
|
|||
| exports.forceHttps = function(req, res, next) { | |||
| if (req.headers['x-forwarded-proto'] !== 'https') { | |||
There was a problem hiding this comment.
could check req.secure instead:
|
We should check the docs to see if anything needs updating |
|
Checked codebase for references to 'http'. Nothing in the docs, but I updated 2 links that should probably have been https all along. |
|
@joelanman I couldn't get This page mentions: "Update: If you use a DNS redirect, req.secure may not work correctly and cause an infinite redirect loop. You should use req.headers['x-forwarded-proto'] !== 'https' instead in this case." |
|
@mcgoooo : does this look OK to you from a Node point of view? |
|
@robinwhittleton yeah looks good! |
|
great work @edwardhorsford 👍 |
This redirects requests to https.
Heroku has SSL built in, so for most prototypes, things should work as normal, except with SSL.
Note: I think this is a breaking change, since it requires production servers to have HTTPs set up.