Say yes to https with express and connect.
Clone or download

README.md

YES HTTPS!

Build Status npm version Greenkeeper badge

yes-https is a happy little npm module that makes it easy to require https for your connect based application.

It does this two ways:

  • Setting the Strict-Transport-Security HTTP header. Learn more at OWASP.
  • Automatically sending an HTTP 301 for the first request. This is often overlooked, as HSTS only works after the browser hits the https endpoint the first time.

Installation

npm install --save yes-https

Usage

const yes = require('yes-https');
const express = require('express');

let app = express();

// Use the yes-https connect middleware.  Note - this will only work if NODE_ENV is set to production.
app.use(yes());

app.get('/', (req, res) => {
  res.end('Thanks for checking it out!');
});

const server = app.listen(process.env.PORT || 3000, () => {
  console.log('App listening on port %s', server.address().port);
  console.log('Press Ctrl+C to quit.');
});

You can also set a few settings with the middleware to control the header:

app.use(yes({
  maxAge: 86400,            // defaults `86400`
  includeSubdomains: true,  // defaults `true`
  preload: true             // defaults `true`
}));

Ignoring specific requests

In some cases, you may want to ignore a request and not force the redirect. You can use the ignoreFilter option to opt out of redirects on a case by case basis. This is useful if you want to ignore a specific route:

app.use(yes({
  ignoreFilter: (req) => {
    return (req.url.indexOf('/_ah/health') > -1);
  }
}));

Contributing

Pull requests welcomed!