Express (node.js) using HTTPS and HTTP

Question

I am using the express (3.0) framework on node.js to route my application.

Most of my application uses the http protocol however there is one specific route I want to serve via https only. This is the part of my API which is responsible for registering and authenticating users.

for example:

app.get('/connect', function(req, res){
 // Must be on HTTPS, if not redirect to HTTPS
});

app.post('/connect', function(req, res){
  // Must be on HTTPS
});

app.get('/', function(req, res){
 // Must be on HTTP
});

app.get('/build', function(req, res){
 // Must be on HTTP
});

How does one facilitate using both within the same application? I am struggling to find any examples of this in the wild.

Answer 1

Simply pass your app (which is really a request handler function) to the createServer of http and https.

var express = require('express')
    , http = require('http')
    , https = require('https')
    , app = express();

http.createServer(app);
https.createServer({ ... }, app);

Both HTTP and HTTPS requests get routed through the same Express app. In a route handler, to check whether a request was made over https, use req.secure.

app.get('/route', function(req, res) {
    if (req.secure) {
        ...
    } else {
        res.redirect(301, 'https://example.com/route');
    }
});

---

As a side note, modern wisdom considers mixed http/https sites insecure. You may protect the user's password by requiring them to log in over SSL, but then switching back to http for subsequent requests makes it trivial for an attacker to steal a user's login cookie.

Consider making all requests by logged-in users over SSL.

Answer 2

Try this approach.Create two express request handlers(app_http and app_https).

Pass app_http as request handler while creating http server(http.createServer(app_http)).

Pass app_https as request handler while createing https server (https.createServer(options,app_https)).

var express = require('express'),
    http = require('http'),
    https = require('https');

var app_http = express(); // this one to handle http request

var app_https = express(); // this to handle httpS requests.


app_https.get('/connect', function(req, res){
 // Must be on HTTPS, if not redirect to HTTPS
});

app_https.post('/connect', function(req, res){
  // Must be on HTTPS
});

app_http.get('/', function(req, res){
 // Must be on HTTP
});

app_http.get('/build', function(req, res){
 // Must be on HTTP
});

    //call here http.createServer &  https.createServer with needed details.

Answer 3

const express = require('express');
const app = express();
const fs = require('fs');
const options = {
    key:fs.readFileSync('./ssl/privkey.pem'),
    cert:fs.readFileSync('./ssl/allchange.pem')
};
const https = require('https').createServer(options,app);
const http = require('http').createServer(app);
app.get('/',(req,res) => {
    (req.protocol == 'http') ? res.redirect('https://www.pkred.com/') : // code
        // More code
        // End code ;
}
app.get('/:id',(req,res) => {
    (req.protocol == 'http') ? res.redirect(`https://www.pkred.com/${req.params.id}`) : // code
        // More code
        // End code ;
}
http.listen(8080,() => console.log('PORT :: 8080'));
https.listen(4433,() => console.log('PORT :: 4433'));