Merge pull request #480 from alphagov/force-ssl

Serve GOV.UK elements over https
alphagov · Jun 14, 2017 · 56808ac · 56808ac
2 parents 377a7ab + 77b2265
commit 56808ac
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -10,6 +10,5 @@ dist/*
 shots
 shots_history
 # These folders were previously generated by build tasks
-lib/*
 app/views/snippets/encoded/*
 govuk_modules/*
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@ GOV.UK elements ·
 
 GOV.UK elements is three things:
 
-1. [An online design guide](http://govuk-elements.herokuapp.com/), explaining how to make your service look consistent with the rest of GOV.UK.
+1. [An online design guide](https://govuk-elements.herokuapp.com/), explaining how to make your service look consistent with the rest of GOV.UK.
 2. An example of how to use the code in the [GOV.UK template](https://github.com/alphagov/govuk_template) and the [GOV.UK frontend toolkit](https://github.com/alphagov/govuk_frontend_toolkit).
 3. An [npm package of the Sass files](https://www.npmjs.com/package/govuk-elements-sass).
 

diff --git a/app/config.js b/app/config.js
@@ -4,6 +4,9 @@
 
 module.exports = {
 
+  // Force HTTP to redirect to HTTPs on production
+  useHttps: 'true',
+
   // Cookie warning
   cookieText: 'GOV.UK uses cookies to make the site simpler. <a href="https://www.gov.uk/help/cookies">Find out more about cookies</a>'
 

diff --git a/lib/utils.js b/lib/utils.js
@@ -0,0 +1,8 @@
+exports.forceHttps = function (req, res, next) {
+  if (req.headers['x-forwarded-proto'] !== 'https') {
+    console.log('Redirecting request to https')
+    // 302 temporary - this is a feature that can be disabled
+    return res.redirect(302, 'https://' + req.get('Host') + req.url)
+  }
+  next()
+}
diff --git a/server.js b/server.js
@@ -7,6 +7,14 @@ var bodyParser = require('body-parser')
 var config = require('./app/config.js')
 var port = (process.env.PORT || 3000)
 var IS_HEROKU = process.env.hasOwnProperty('IS_HEROKU')
+var utils = path.join(__dirname, '/lib/utils.js')
+
+// Grab environment variables specified in Procfile or as Heroku config vars
+var env = process.env.NODE_ENV || 'development'
+var useHttps = process.env.USE_HTTPS || config.useHttps
+
+env = env.toLowerCase()
+useHttps = useHttps.toLowerCase()
 
 module.exports = app
 
@@ -62,3 +70,8 @@ app.listen(port, function () {
     console.log('Listening on port ' + port + '   url: http://localhost:' + port)
   }
 })
+
+// Force HTTPs on production connections
+if (env === 'production' && useHttps === 'true') {
+  app.use(utils.forceHttps)
+}