I’m just checking in to see if anybody has a good solution that works well with Wappler in order to force our users to be on the HTTPS version of our site?
It’s currently hosted on Heroku with NodeJS using the automated SSL certificates from Heroku.
Is it something done in the routes, or is there something that can be done with express.js, or is there an even better solution? The heroku documentation explains something to do with ensuring that your request headers are set to X-Forwarded-Proto: https, but I don’t quite understand where or how I would do such a thing.
Any advice or solutions would be greatly appreciated!
Hi, I'm trying to force the use of HTTPS on Heroku / Node JS.
I looked at and spoke to expedited security - they have a great WAF solution but a bit overkill / expensive to just force HTTPS. Mike at expedited security suggested using express-force-https - npm. As this doesn't seem to be tied to Heroku wasn't sure how to use/integrate?
I'm using wappler as im not an expert and the 2 options above are well beyond my capability so would really appreciate others expert guidance on which to use? or another solution and how to integrate this into my wappler app.
Hi, I've got the list of variables and which change depending on if it is HTTP or HTTPS but I'm not sure in what file/folder the check for the http variable exists and how you redirect to the current URL but HTTPS.
I've also read about a solution where you introduce the check and redirection as part of the Servlet filter, I've also read that this is implemented in web.xml file ...but cant find that file/folder or know where the filters are and how you add this additional filter.
Any help would be greatly appreciated.
Thanks,
Nigel
added screenshots of http and https variable settings
It is idiot that heroku asks money for something like redirecting to https.
Create a new file extensions/server_connect/routes/force_https.js with the following content:
exports.before = function(app) {
app.use((req, res, next) => {
if ((req.get('x-forwarded-proto') || '').startsWith('https')) {
next();
}
if (req.method === 'GET' || req.method === 'HEAD') {
res.redirect(301, 'https://' + req.hostname + req.originalUrl);
} else {
res.status(403).send('Please use HTTP when submitting data to this server');
}
});
};
This is currently the best solution since it doesn't get overwritten by any future updates. It would be better to have it before any other middleware but there is no extension hook for that.
Thank you very much @patrick - this seems to do the job pretty well.
I definitely second your point that it's madness that redirection to HTTPS is a paid feature in this day and age. It's a shame that it has to be done at this layer.
I am going to ask though, are you aware of any way to make the local development web server built into Wappler work when this is added?
My understanding is that the local server doesn't support HTTPS?
You could consider Cloudflare. The free tier will allow you to redirect all traffic to HTTPS. Relatively simple to set-up and doesn't cost anything at all.