Use strict https in production #410
Conversation
This will ensure that browsers automatically load the prototype over https, even if the `http://` prefix is typed into the URL bar. It does require `NODE_ENV` to be set to `production`, however many platforms such as Heroku will [set this by default](https://devcenter.heroku.com/changelog-items/688) for Node.js apps. Once this is set you can also submit the domain to https://hstspreload.org which will ensure the browsers at it to their list of domains to always use https on.
frankieroberto
requested review from
anandamaryon1,
mcheung-nhs,
edwardhorsford and
paulrobertlloyd
|
@edwardhorsford @vickytnz ok to approve this? We should then add some guidance to suggest adding the |
|
Setting NODE_ENV=production also does some performance things in Express: https://expressjs.com/th/advanced/best-practice-performance.html#set-node_env-to-production |
|
oh wow - i didn't realise that was the case. I know that I had to do this for railway but didn't think I needed to for heroku but that does have some performance benefits |
Reviewing the guidance, we already say that railway users have to do this. https://prototype-kit.service-manual.nhs.uk/how-tos/publish-your-prototype-online Unless this breaks Heroku (which I don't think it does), this should be OK to go without changes. My only thought is that whether this makes enough of a difference to performance that we need to headline it as adding it in and saying (the prototype will run without it but it will take images slower to load and use more data) EDIT: read your notes from the top, you're saying that it's done by default by Heroku so actually the guidance is probably good enough. |
|
@vickytnz yep, I believe that's the case, although we should probably test it. Can't remember if I added it manually or not. |
This aims to avoid browser warnings if users accidentally visit a prototype in non-secure mode.
It does this by adding the
Strict-Transport-SecurityHTTP header.This will ensure that once a browser has successfully loaded a first page from the domain over https, all subsequent requests will automatically use https, even if the
http://prefix is typed into the URL bar.I’ve set this to require
NODE_ENVto be set toproductionto avoid any issues when running the prototype over localhost. We’d have to add this to the documentation. However many platforms such as Heroku will set this by default for Node.js apps.Once your prototype is running with the header set, you can also submit the domain to https://hstspreload.org/ (although this doesn't work for subdomains) which will ensure the browsers at it to their list of domains to always use https on without even having to visit it first.
Fixes #141
Checklist