Force https when running in production

[GrilloPress]

Most websites are now https and chrome gives you a warning if a website you are visiting isn't using http.

The prototype kit doesn't force this. So if you deploy to heroku you can have both a http and https version of the website. https is more secure.

In the app team we also noticed that when running the prototype kit as a PWA (to simulate the app) that if we used the http version a massive warning bar came up when a user used a field. This happened on every text input.

We should force (or allow the kit to force) https. More secure. Saves issues for people navigating and sharing the http version for testing and documentation.

[GrilloPress]

I ended up implementing this in my kit by adding to my app.js file:

var env = (process.env.NODE_ENV || 'development').toLowerCase()
var forceHttps = function (req, res, next) {
  if (req.headers['x-forwarded-proto'] !== 'https') {
    console.log('Redirecting request to https')
    // 302 temporary - this is a feature that can be disabled
    return res.redirect(302, 'https://' + req.get('Host') + req.url)
  }
  // Mark proxy as secure (allows secure cookies)
  req.connection.proxySecure = true
  next()
}
var useHttps = process.env.USE_HTTPS || config.useHttps
useHttps = useHttps.toLowerCase()
// Force HTTPS on production. Do this before using basicAuth to avoid
// asking for username/password twice (for `http`, then `https`).
var isSecure = (env === 'production' && useHttps === 'true')
if (isSecure) {
  app.use(forceHttps)
  app.set('trust proxy', 1) // needed for secure cookies on heroku
}

and to myapp/config.js file:

// Force HTTP to redirect to HTTPS on production
useHttps: 'true',

[joelanman]

just to note the code is still in the NHS kit from the GOV.UK kit, it's just commented out:

https://github.com/nhsuk/nhsuk-prototype-kit/blob/master/lib/utils.js#L128-L141

[GrilloPress]

Yes. I noticed but when I uncommented it it completely borked my app.

I'm going to see if I can get the code working in the prototype utils file as per the gov.uk one and create a pull request.

There were a few lines of code that have been cut out of the NHS kit that were in the gov.uk one

[frankieroberto]

@GrilloPress @joelanman I’ve got a new fix for this in #410. It’s setting the Strict-Transport-Security which I think should be more reliable than the previous redirect approach, as it won’t rely on the x-forwarded-proto header.