I noticed that if you change the https part of the project URL to http it uses HTTP, whereas most websites Google, etc… redirect you to the HTTPS version of their website. How can I make my Glitch project force HTTPS???
See the following example project which implements this: https://glitch.com/edit/#!/large-patch
3 Likes
Thanks, but would I place this code before any other app.gets?
Copy the checkHttps function code into your js file, and use app.use(checkHttps) before your app.gets. See https://expressjs.com/en/guide/writing-middleware.html
2 Likes
Ok, thanks! I shall update my code with that now,
Is it still working as of now? I’m getting < projectname >.glitch.me redirected you too many times…?
Hmm so it does work for glitch subdomains. But it won’t work on my custom domain weird, but it’s fine, just the red “Not secure” annoys me
Edit to make things more clear: Adding https:// works, but I’m trying to force it
1 Like
That seems incorrect. For example https://shw.hyperdev.space/ is a custom domain registered via the fly.io Custom Domain integration in Glitch and configured at my registrar, iwantmyname.com. https worked completely transparently - I didn’t do anything special.
What’s your domain and project?
1 Like
It’s doing some weird thing where it does not show it is connected to a Domain, but my site is http://taiwei.glitch.me, custom domain: http://taiwei.ml, as you can see the latter did not force https?
I used to use fly, but to test glitch’s new custom domain i deleted my fly project. So now (I think…?) it’s using glitch’s custom domains, if join URL needed dm me
Thanks
Edit:
Uhhhh I just went to http://shw.hyperdev.space/ anddd
Edit: Adding https:// works, but I’m trying to force it
Ah yes, I misinterpreted what you were trying to do; I didn’t read the backscroll carefully enough, sorry!
Yes, you are correct, that workaround won’t handle custom domains due to the way X-Forwarded-Proto gets filled in those situations. I don’t know of a way to handle it with custom domains off-hand.
2 Likes
Haha, yea, there is a middleware in Fly.io though, is there a way I can un-intergrate glitch’s Custom domains and then I can do it using Fly.io, and use the Force https middleware from them? (Same project as above)
There seems to be no way to un-intergrate it tho? And I can’t make a new fly website.
Was going to insert image here, but it won’t stop loading 
Fixed after a few Hard refreshes.
So what I mean is you can’t remove domains or is glitch glitched (ha pun)
This is getting irrelevant to the title, i’ll make a new post thing.
1 Like
Hey, can you please explain how you force HTTPS through Fly? I’d like to do that too on my custom domain.
Unfortunately I found this topic too late and connected my domain name already. @cori could you please unlink figma.fun domain from this project: https://glitch.com/~figma-short? Thanks in advance.
Is there any solution to this now? I was testing code on a custom domain and nothing I did seemed to be able to get a forced-https result
It’s very simple, just add this to every HTML file:
<script>
if (location.protocol !== 'https:') {
location.replace(`https:${location.href.substring(location.protocol.length)}`);
}
</script>
or include this in your JS:
if (location.protocol !== 'https:') {
location.replace(`https:${location.href.substring(location.protocol.length)}`);
}
This wouldn’t work server-side, I need a way to make the server itself only serve https requests, not http
i lack the understanding to know what server side means (ok i probably know but i cant find a solution). would this work?
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
from here.
this would just mean that the client side upgrades its own requests, I want the server to not serve HTTP requests at all
If you are using a custom domain on Fly, it may be worth changing your domain’s DNS to use Cloudflare, where you can select to have your site only serve on HTTPS.
There are some limitations with using their free DNS, but I use it for all my websites and it works fine 
Hope this helps!
Eddie