yes-https is a happy little npm module that makes it easy to require https for your connect based application.
It does this two ways:
- Setting the
Strict-Transport-SecurityHTTP header. Learn more at OWASP. - Automatically sending an HTTP 301 for the first request. This is often overlooked, as HSTS only works after the browser hits the https endpoint the first time.
npm install yes-https
importyesfrom'yes-https';importexpressfrom'express';letapp=express();// Use the yes-https connect middleware. Note - this will only work if NODE_ENV is set to production.app.use(yes());app.get('/',(req,res)=>{res.end('Thanks for checking it out!');});constserver=app.listen(process.env.PORT||3000,()=>{console.log('App listening on port %s',server.address().port);console.log('Press Ctrl+C to quit.');});You can also set a few settings with the middleware to control the header:
app.use(yes({maxAge: 86400,// defaults `86400`includeSubdomains: true,// defaults `true`preload: true// defaults `true`}));In some cases, you may want to ignore a request and not force the redirect. You can use the ignoreFilter option to opt out of redirects on a case by case basis. This is useful if you want to ignore a specific route:
app.use(yes({ignoreFilter: (req)=>{return(req.url.indexOf('/_ah/health')>-1);}}));Pull requests welcomed!