Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Disable HTTP completely in Heroku

We have a node.js express application running in Heroku. It handles authentication and has to be a highly secure.

We have forced redirect to HTTPS when we get HTTP request. But this does not seem to be enough. With tools like sslstrip we can POST via HTTP.

The only solution at hand seems to be disable the HTTP completely on Heroku.

How to do that? Is there any other suggestions?

like image 978
siliconsenthil Avatar asked Mar 13 '15 11:03

siliconsenthil


People also ask

How can I change http to https in heroku?

react-boilerplate can enforce https(redirect http to https) on heroku deployed apps(that has extra layer like cloudflare). var sslRedirect = require('heroku-ssl-redirect');const app = express();app. use(sslRedirect()); Now you get all connection to be on https.

How do I turn off heroku SSL?

To remove the certificate using the command line, simply run the command heroku certs:remove and enter the app name for confirmation.

Does heroku allow HTTP?

The Heroku router only supports HTTP/1.0 and HTTP/1.1 clients. HTTP/0.9 and earlier are no longer supported. SPDY and HTTP/2 are not supported at this time.


3 Answers

According to OWASP you should not redirect from HTTP to HTTPS. See https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-REMOVED-_Do_Not_Perform_Redirects_from_Non-TLS_Page_to_TLS_Login_Page for more details.

I think the better solution would be to reject the request with a message letting the user know why. You should be able to do this in a middleware function. The actual status code you return is debatable but something like this should work:

app.use(function(req, res, next) {
    if(req.protocol !== 'https') {
        return res.status(403).send({message: 'SSL required'});
    }
    // allow the request to continue
    next();
});
like image 131
Ryan Avatar answered Sep 27 '22 22:09

Ryan


We've used express-sslify npm package. Added

app.use(enforce.HTTPS(true));
like image 24
siliconsenthil Avatar answered Sep 27 '22 22:09

siliconsenthil


You can test whether a request used https and then force a redirect using https if that is required (note the concern pointed out by @Ryan about redirecting and security). With Heroku, you can check the req headers' x-forwarded-proto header to make sure it is https. Here is an example:

var express = require('express');
var env = process.env.NODE_ENV || 'development';
var forceSSL = function (req, res, next) {
  if (req.headers['x-forwarded-proto'] !== 'https') {
    return res.redirect(['https://', req.get('Host'), req.url].join(''));
  }
  return next();
};

var app = express();
// in your app-level configurations
if (env === 'production') app.use(forceSSL);

Note: the Heroku load balancers are determining the x-forwarded-proto header before it hits your app.

Also: get an SSL certificate if you are using a custom domain with Heroku

like image 25
Clark Avatar answered Sep 27 '22 20:09

Clark