Use strict https headers and redirect from http to https in production mode #410
Conversation
This will ensure that browsers automatically load the prototype over https, even if the `http://` prefix is typed into the URL bar. It does require `NODE_ENV` to be set to `production`, however many platforms such as Heroku will [set this by default](https://devcenter.heroku.com/changelog-items/688) for Node.js apps. Once this is set you can also submit the domain to https://hstspreload.org which will ensure the browsers at it to their list of domains to always use https on.
frankieroberto
requested review from
anandamaryon1,
mcheung-nhs,
edwardhorsford and
paulrobertlloyd
|
@edwardhorsford @vickytnz ok to approve this? We should then add some guidance to suggest adding the |
|
Setting NODE_ENV=production also does some performance things in Express: https://expressjs.com/th/advanced/best-practice-performance.html#set-node_env-to-production |
|
oh wow - i didn't realise that was the case. I know that I had to do this for railway but didn't think I needed to for heroku but that does have some performance benefits |
Reviewing the guidance, we already say that railway users have to do this. https://prototype-kit.service-manual.nhs.uk/how-tos/publish-your-prototype-online Unless this breaks Heroku (which I don't think it does), this should be OK to go without changes. My only thought is that whether this makes enough of a difference to performance that we need to headline it as adding it in and saying (the prototype will run without it but it will take images slower to load and use more data) EDIT: read your notes from the top, you're saying that it's done by default by Heroku so actually the guidance is probably good enough. |
|
@vickytnz yep, I believe that's the case, although we should probably test it. Can't remember if I added it manually or not. |
|
@anandamaryon1 could you review? |
Co-authored-by: Colin Rotherham <[email protected]>
frankieroberto
temporarily deployed
to
prototype-kit-test-hsts-header
frankieroberto
temporarily deployed
to
prototype-kit-test-hsts-header
frankieroberto
temporarily deployed
to
prototype-kit-test-hsts-header
frankieroberto
temporarily deployed
to
prototype-kit-test-hsts-header
frankieroberto
temporarily deployed
to
prototype-kit-test-hsts-header
frankieroberto
temporarily deployed
to
prototype-kit-test-hsts-header
frankieroberto
temporarily deployed
to
prototype-kit-test-hsts-header
frankieroberto
temporarily deployed
to
prototype-kit-test-hsts-header
frankieroberto
temporarily deployed
to
prototype-kit-test-hsts-header
|
I’ve verified this works on Heroku. For Railway, they do their own redirecting of HTTP -> HTTPS at the proxy layer for all apps, so the code is unneeded, but doesn’t do any harm. |
frankieroberto
changed the title
This aims to avoid browser warnings if users accidentally visit a prototype in non-secure mode.
It does this by adding the
Strict-Transport-SecurityHTTP header andContent-Security-Policytoupgrade-insecure-requests.This will ensure that all subsequent requests will automatically use https, even if the
http://prefix is typed into the URL bar.Additionally, the kit will automatically respond with a redirect to the https url whenever insecure requests are made.
This only happens when
NODE_ENVis set toproduction, to avoid any issues when running the prototype over localhostOnce your prototype is running with the header set, you can also submit the domain to https://hstspreload.org/ (although this doesn't work for subdomains) which will ensure the browsers at it to their list of domains to always use https on without even having to visit it first.
Fixes #141
Checklist