From 9231bc8be909dfe80585aff342e3d698e227076a Mon Sep 17 00:00:00 2001 From: Frankie Roberto Date: Wed, 13 Nov 2024 22:55:43 +0000 Subject: [PATCH 1/3] Set Strict-Transport-Security header in production This will ensure that browsers automatically load the prototype over https, even if the `http://` prefix is typed into the URL bar. It does require `NODE_ENV` to be set to `production`, however many platforms such as Heroku will [set this by default](https://devcenter.heroku.com/changelog-items/688) for Node.js apps. Once this is set you can also submit the domain to https://hstspreload.org which will ensure the browsers at it to their list of domains to always use https on. --- app.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/app.js b/app.js index f438feaf..ab0327b3 100755 --- a/app.js +++ b/app.js @@ -215,6 +215,15 @@ if (useDocumentation || onlyDocumentation === 'true') { app.use('/prototype-admin', prototypeAdminRoutes); +if (process.env.NODE_ENV === 'production') { + app.use((req, res, next) => { + // Set Strict-Transport-Security header to + // ensure that browsers only use HTTPS + res.setHeader('Strict-Transport-Security', 'max-age=31536000; preload'); + next(); + }); +} + // Redirect all POSTs to GETs - this allows users to use POST for autoStoreData app.post(/^\/([^.]+)$/, (req, res) => { res.redirect(`/${req.params[0]}`); From 5311296f5d37978b809fc1f4f5c2ecbd2672126a Mon Sep 17 00:00:00 2001 From: Frankie Roberto Date: Wed, 13 Nov 2024 22:55:54 +0000 Subject: [PATCH 2/3] Remove older commented-out https code --- lib/utils.js | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/lib/utils.js b/lib/utils.js index e2f73a8e..25a79ff9 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -110,21 +110,6 @@ exports.findAvailablePort = function (app, callback) { } */ -/* -// Redirect HTTP requests to HTTPS -exports.forceHttps = function (req, res, next) { - if (req.headers['x-forwarded-proto'] !== 'https') { - console.log('Redirecting request to https') - // 302 temporary - this is a feature that can be disabled - return res.redirect(302, 'https://' + req.get('Host') + req.url) - } - - // Mark proxy as secure (allows secure cookies) - req.connection.proxySecure = true - next() -} -*/ - /* // Synchronously get the URL for the latest release on GitHub and cache it exports.getLatestRelease = function () { From 6c0a9cc2ab52bc35fb482da4b2ecf566005e48dc Mon Sep 17 00:00:00 2001 From: Frankie Roberto Date: Wed, 13 Nov 2024 23:04:17 +0000 Subject: [PATCH 3/3] Update changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e4144c10..4919e0d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # NHS.UK prototype kit Changelog +## Unreleased + +- Use strict https in production mode - ([PR 410](https://github.com/nhsuk/nhsuk-prototype-kit/pull/410)) + ## 5.1.0 - 12 November 2024 - Remove guidance and tutorials - these can now be found online on the [NHS Prototype Kit website](https://prototype-kit.service-manual.nhs.uk) - ([PR 385](https://github.com/nhsuk/nhsuk-prototype-kit/pull/385))