diff --git a/CHANGELOG.md b/CHANGELOG.md index 39de9937..36be26d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ - Import task list component ([PR 437](https://github.com/nhsuk/nhsuk-prototype-kit/pull/437)) - The example page templates have moved from the `docs` folder to `lib/example-templates` - ([PR 409](https://github.com/nhsuk/nhsuk-prototype-kit/pull/409)) - Added a devcontainer.json file to configure Github Codespaces for use of the kit ([PR 428])(https://github.com/nhsuk/nhsuk-prototype-kit/pull/428)) - +- Use strict https in production mode - ([PR 410](https://github.com/nhsuk/nhsuk-prototype-kit/pull/410)) ## 5.1.0 - 12 November 2024 diff --git a/app.js b/app.js index 0f36af36..3b9b52f7 100755 --- a/app.js +++ b/app.js @@ -189,6 +189,15 @@ exampleTemplatesApp.get(/^([^.]+)$/, (req, res, next) => { app.use('/prototype-admin', prototypeAdminRoutes); +if (process.env.NODE_ENV === 'production') { + app.use((req, res, next) => { + // Set Strict-Transport-Security header to + // ensure that browsers only use HTTPS + res.setHeader('Strict-Transport-Security', 'max-age=31536000; preload'); + next(); + }); +} + // Redirect all POSTs to GETs - this allows users to use POST for autoStoreData app.post(/^\/([^.]+)$/, (req, res) => { res.redirect(`/${req.params[0]}`); diff --git a/lib/utils.js b/lib/utils.js index e2f73a8e..25a79ff9 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -110,21 +110,6 @@ exports.findAvailablePort = function (app, callback) { } */ -/* -// Redirect HTTP requests to HTTPS -exports.forceHttps = function (req, res, next) { - if (req.headers['x-forwarded-proto'] !== 'https') { - console.log('Redirecting request to https') - // 302 temporary - this is a feature that can be disabled - return res.redirect(302, 'https://' + req.get('Host') + req.url) - } - - // Mark proxy as secure (allows secure cookies) - req.connection.proxySecure = true - next() -} -*/ - /* // Synchronously get the URL for the latest release on GitHub and cache it exports.getLatestRelease = function () {