Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force https when running in production #141

Open
GrilloPress opened this issue Nov 22, 2019 · 3 comments
Open

Force https when running in production #141

GrilloPress opened this issue Nov 22, 2019 · 3 comments

Comments

@GrilloPress
Copy link
Contributor

Most websites are now https and chrome gives you a warning if a website you are visiting isn't using http.

The prototype kit doesn't force this. So if you deploy to heroku you can have both a http and https version of the website. https is more secure.

In the app team we also noticed that when running the prototype kit as a PWA (to simulate the app) that if we used the http version a massive warning bar came up when a user used a field. This happened on every text input.

We should force (or allow the kit to force) https. More secure. Saves issues for people navigating and sharing the http version for testing and documentation.
@GrilloPress
Copy link
Contributor Author

I ended up implementing this in my kit by adding to my app.js file:

var env = (process.env.NODE_ENV || 'development').toLowerCase()
var forceHttps = function (req, res, next) {
  if (req.headers['x-forwarded-proto'] !== 'https') {
    console.log('Redirecting request to https')
    // 302 temporary - this is a feature that can be disabled
    return res.redirect(302, 'https://' + req.get('Host') + req.url)
  }
  // Mark proxy as secure (allows secure cookies)
  req.connection.proxySecure = true
  next()
}
var useHttps = process.env.USE_HTTPS || config.useHttps
useHttps = useHttps.toLowerCase()
// Force HTTPS on production. Do this before using basicAuth to avoid
// asking for username/password twice (for `http`, then `https`).
var isSecure = (env === 'production' && useHttps === 'true')
if (isSecure) {
  app.use(forceHttps)
  app.set('trust proxy', 1) // needed for secure cookies on heroku
}

and to myapp/config.js file:

// Force HTTP to redirect to HTTPS on production
useHttps: 'true',

@joelanman
Copy link

just to note the code is still in the NHS kit from the GOV.UK kit, it's just commented out:

https://github.com/nhsuk/nhsuk-prototype-kit/blob/master/lib/utils.js#L128-L141

@GrilloPress
Copy link
Contributor Author

Yes. I noticed but when I uncommented it it completely borked my app.

I'm going to see if I can get the code working in the prototype utils file as per the gov.uk one and create a pull request.

There were a few lines of code that have been cut out of the NHS kit that were in the gov.uk one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joelanman @GrilloPress