GrilloPress
commented
4 years ago I ended up implementing this in my kit by adding to my app.js file:
var env = (process.env.NODE_ENV || 'development').toLowerCase()
var forceHttps = function (req, res, next) {
if (req.headers['x-forwarded-proto'] !== 'https') {
console.log('Redirecting request to https')
// 302 temporary - this is a feature that can be disabled
return res.redirect(302, 'https://' + req.get('Host') + req.url)
}
// Mark proxy as secure (allows secure cookies)
req.connection.proxySecure = true
next()
}
var useHttps = process.env.USE_HTTPS || config.useHttps
useHttps = useHttps.toLowerCase()
// Force HTTPS on production. Do this before using basicAuth to avoid
// asking for username/password twice (for `http`, then `https`).
var isSecure = (env === 'production' && useHttps === 'true')
if (isSecure) {
app.use(forceHttps)
app.set('trust proxy', 1) // needed for secure cookies on heroku
}and to myapp/config.js file:
// Force HTTP to redirect to HTTPS on production
useHttps: 'true',
joelanman
frankieroberto
Most websites are now https and chrome gives you a warning if a website you are visiting isn't using http.
The prototype kit doesn't force this. So if you deploy to heroku you can have both a http and https version of the website. https is more secure.
In the app team we also noticed that when running the prototype kit as a PWA (to simulate the app) that if we used the http version a massive warning bar came up when a user used a field. This happened on every text input.
We should force (or allow the kit to force) https. More secure. Saves issues for people navigating and sharing the http version for testing and documentation.