Merge pull request #4044 from jweismann/dev

redirect HTTP to HTTPS unless explicitly instructed not to do this
nightscout · Nov 21, 2018 · 5787482 · 5787482
2 parents cf7b40e + 372efca
commit 5787482
Show file tree

Hide file tree

Showing 4 changed files with 160 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -265,6 +265,8 @@ To learn more about the Nightscout API, visit https://YOUR-SITE.com/api-docs.htm
   * `SHOW_RAWBG` (`never`) - possible values `always`, `never` or `noise`
   * `CUSTOM_TITLE` (`Nightscout`) - Usually name of T1
   * `THEME` (`default`) - possible values `default`, `colors`, or `colorblindfriendly`
+  * `INSECURE_USE_HTTP` (`false`) - possible values `false`, or `true`. 
+  * `SECURE_HTTP_HEADERS` (`false`) - possible values `false`, or `true`. 
   * `ALARM_TIMEAGO_WARN` (`on`) - possible values `on` or `off`
   * `ALARM_TIMEAGO_WARN_MINS` (`15`) - minutes since the last reading to trigger a warning
   * `ALARM_TIMEAGO_URGENT` (`on`) - possible values `on` or `off`

diff --git a/app.js b/app.js
@@ -14,6 +14,24 @@ function create(env, ctx) {
     var appInfo = env.name + ' ' + env.version;
     app.set('title', appInfo);
     app.enable('trust proxy'); // Allows req.secure test on heroku https connections.
+    if (process.env.INSECURE_USE_HTTP !== 'true') {
+        app.use((req, res, next) => {
+        if (req.header('x-forwarded-proto') !== 'https')
+            res.redirect(`https://${req.header('host')}${req.url}`)
+        else
+            next()
+        })
+        if (process.env.SECURE_HTTP_HEADERS == 'true') {
+            const helmet = require('helmet')
+            app.use(helmet({
+                hsts: {
+                    maxAge: 31536000,
+                    includeSubDomains: true,
+                    preload: true
+                }
+            }))
+        }
+     }
 
     app.set('view engine', 'ejs');
     // this allows you to render .html files as templates in addition to .ejs
@@ -208,4 +226,4 @@ function create(env, ctx) {
     //}
     return app;
 }
-module.exports = create;
+module.exports = create;
diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
diff --git a/package.json b/package.json
@@ -67,6 +67,7 @@
     "express": "^4.16.4",
     "express-minify": "^1.0.0",
     "flot": "^0.8.0-alpha",
+    "helmet": "^3.14.0",
     "jquery": "^3.3.1",
     "jquery-ui-bundle": "^1.12.1-migrate",
     "jquery.tooltips": "^1.0.0",