root
/
greenlock-express.js
mirror of https://github.com/therootcompany/greenlock-express.js.git
2
1
Fork 0
Code Issues 43 Releases Wiki Activity

How to redirect API calls from HTTP to HTTPS #15

New Issue
Open
opened 2019-11-06 17:56:50 +00:00 by Ghost · 3 comments
Ghost commented 2019-11-06 17:56:50 +00:00
Copy Link

Using greenlock-express v3 to serve my website; i have an API and currently my API client (RestSharp) fails as receives an HTML with the http-equiv redirect to https....

There is some way (cannot find on docs) to make greenlock-express to send an HTTP 301 with the https location?

Thanks!

Using greenlock-express v3 to serve my website; i have an API and currently my API client (RestSharp) fails as receives an HTML with the <META> http-equiv redirect to https.... There is some way (cannot find on docs) to make greenlock-express to send an HTTP 301 with the https location? Thanks!
coolaj86 commented 2019-11-06 18:15:01 +00:00
Owner
Copy Link

Yes, but I’m on my phone so I’ll give a quick response now and follow up later:

You can, but you would be purposefully defeating the security feature that was put in exactly for this use case.

API clients SHOULD NOT follow HTTP -> HTTPs redirects.

That exposes API tokens publicly to anyone on the network.

Instead, the API client should be fixed to use HTTPS urls for HTTPS apis.

Yes, but I’m on my phone so I’ll give a quick response now and follow up later: You can, but you would be purposefully defeating the security feature that was put in exactly for this use case. API clients SHOULD NOT follow HTTP -> HTTPs redirects. That exposes API tokens publicly to anyone on the network. Instead, the API client should be fixed to use HTTPS urls for HTTPS apis.
Ghost commented 2019-11-06 18:53:20 +00:00
Author
Copy Link

My problem is, my clients should work with HTTP while i'm migrating them to https (hundreds of clients which i must manually update...)

Giving an error while the migration is in progress in NOT AN OPTION! I must continue to respond on HTTP, and also respond on HTTPS.

When all my REST clients are fully going to HTTPS and nobody uses HTTP in that specific API, then i can finally remove that "temporary redirect"

My problem is, my clients should work with HTTP while i'm migrating them to https (hundreds of clients which i must manually update...) Giving an error while the migration is in progress in NOT AN OPTION! I must continue to respond on HTTP, and also respond on HTTPS. When all my REST clients are fully going to HTTPS and nobody uses HTTP in that specific API, then i can finally remove that "temporary redirect"
coolaj86 commented 2019-11-06 18:59:41 +00:00
Owner
Copy Link

Check out the http example in the examples folder.

You can pass in your own instance of redirect-https with the meta option turned off.

Or you can write your own redirector as a normal http app.

Check out the http example in the examples folder. You can pass in your own instance of `redirect-https` with the meta option turned off. Or you can write your own redirector as a normal http app.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
github
next
v4
npm
v3
v2
beta
v2.0
greenlock
express
v1.x
v4.0.4
v4.0.3
v4.0.1
v3.1.0
v3.0.12
v3.0.11
v3.0.10
v3.0.9
v3.0.8
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.7.18
v2.7.17
v2.7.16
v2.7.15
v2.7.12
v2.7.11
v2.7.10
v2.7.9
v2.7.8
v2.7.6
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.9
v2.6.8
v2.6.7
v2.6.6
v2.6.5
v2.6.4
v2.6.3
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.10
v2.4.9
v2.4.8
v2.4.7
v2.4.6
v2.4.5
v2.4.4
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.4
v2.3.2
v1.3.1
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.0.12
v2.0.11
v2.0.10
v2.0.9
v2.0.8
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.2.0
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: root/greenlock-express.js#15
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?