Add secureRedirect middleware to force production requests to secure protocol

Author: ryanhefner

middleware/secureRedirect.js

@@ -0,0 +1,19 @@
+module.exports = (req, res, next) => {
+  const hosts = [
+    'pkgstats.com',
+  ];
+  const proto = req.get('x-forwarded-proto')
+    ? req.get('x-forwarded-proto')
+    : req.protocol;
+  const host = req.get('host');
+  const redirect = proto !== 'https' || hosts.indexOf(host) > -1;
+  const redirectTo = (hosts.indexOf(host) > -1)
+    ? `https://www.${host}${req.path}`
+    : `https://${host}${req.path}`;
+
+  if (redirect) {
+    res.redirect(301, `${redirectTo}${req.originalUrl}`);
+  } else {
+    next();
+  }
+};

server.js

@@ -9,12 +9,19 @@ const dev = process.env.NODE_ENV !== 'production';
 const NPMService = require('./src/store/services/NPMService');
 const npm = require('./services/npm');
 
+const secureRedirect = require('./middleware/secureRedirect');
+
 const app = nextJS({ dev, dir: './src' });
 const handler = routes.getRequestHandler(app);
 
 app.prepare().then(() => {
   const server = express();
 
+  // Secure redirect
+  if (!dev) {
+    server.use(secureRedirect);
+  }
+
   // Static assets
   server.use('/static', express.static(path.join(__dirname, 'src', 'static')));