Force Glitch projects to use HTTPS


#1

Hello there!

I’ve noticed that sometimes a user will just type in myapp.glitch.me wihout the https:// part. Thus making he website look unsafe. I think Glitch should automatically force HTTPS. So their hello-expres template becomes

// server.js
// where your node app starts

// init project
const express = require('express');
const app = express();

// we've started you off with Express, 
// but feel free to use whatever libs or frameworks you'd like through `package.json`.

function checkHttps(req, res, next){
  // protocol check, if http, redirect to https
  
  if(req.get('X-Forwarded-Proto').indexOf("https")!=-1){
    return next()
  } else {
    res.redirect('https://' + req.hostname + req.url);
  }
}

// http://expressjs.com/en/starter/static-files.html
app.all('*', checkHttps);
app.use(express.static('public'));

// http://expressjs.com/en/starter/basic-routing.html
app.get('/', function(request, response) {
  response.sendFile(__dirname + '/views/index.html');
});

// listen for requests :)
const listener = app.listen(process.env.PORT, function() {
  console.log('Your app is listening on port ' + listener.address().port);
});

instead of:

// server.js
// where your node app starts

// init project
const express = require('express');
const app = express();

// we've started you off with Express, 
// but feel free to use whatever libs or frameworks you'd like through `package.json`.

// http://expressjs.com/en/starter/static-files.html
app.use(express.static('public'));

// http://expressjs.com/en/starter/basic-routing.html
app.get('/', function(request, response) {
  response.sendFile(__dirname + '/views/index.html');
});

// listen for requests :)
const listener = app.listen(process.env.PORT, function() {
  console.log('Your app is listening on port ' + listener.address().port);
});

I think this will help a bit with user’s sites. Also maybe you could force it on hello-webpage too?

  • xXProGamerXx

#2

This used to be the behavior and some users wanted the flexibility to have http too, so we now support both and leave it to project owners to implement a redirect if needs be.


#4

Ok, maybe the code could be included as standard but there’s a varible to enable/disable HTTPS

e.g:

// server.js
// where your node app starts

const FORCE_HTTPS = true; // Use this to control the force of HTTPS!

// init project
const express = require('express');
const app = express();

// we've started you off with Express, 
// but feel free to use whatever libs or frameworks you'd like through `package.json`.

function checkHttps(req, res, next){
  // protocol check, if http, redirect to https
  
  if(req.get('X-Forwarded-Proto').indexOf("https")!=-1){
    return next()
  } else {
    res.redirect('https://' + req.hostname + req.url);
  }
}

// http://expressjs.com/en/starter/static-files.html

if (FORCE_HTTPS) // This is what forces HTTPS! Cool right?
{
    app.all('*', checkHttps);
}
app.use(express.static('public'));

// http://expressjs.com/en/starter/basic-routing.html
app.get('/', function(request, response) {
  response.sendFile(__dirname + '/views/index.html');
});

// listen for requests :)
const listener = app.listen(process.env.PORT, function() {
  console.log('Your app is listening on port ' + listener.address().port);
});

I hope you think this is a good idea.