loading...

SSL/HTTPS-ify for Heroku

patarapolw profile image Pacharapol Withayasakpunt ・2 min read

Heroku already have HTTPS by default. You don't have to buy your own SSL certicate.

But you do have to embed some server-side code to redirect to SSL -- https://help.heroku.com/J2R1S4T8/can-heroku-force-an-application-to-use-ssl-tls

For unsupported platforms, like Node.js-Fastify, you might have to write your own.

The guides are

Reverse Proxies (Heroku, nodejitsu and others)

Heroku, nodejitsu and other hosters often use reverse proxies which offer SSL endpoints but then forward unencrypted HTTP traffic to the website. This makes it difficult to detect if the original request was indeed via HTTPS. Luckily, most reverse proxies set the x-forwarded-proto header flag with the original request scheme. express-sslify is ready for such scenarios, but you have to specifically request the evaluation of this flag:

app.use(enforce.HTTPS({ trustProtoHeader: true }))

Please do not set this flag if you are not behind a proxy that is setting this flag. HTTP headers can be easily spoofed outside of environments that are actively setting/removing the header.

Or

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SECURE_SSL_REDIRECT = True

So, the Fastify code becomes:- (I modified the code from express-sslify)

    const app = fastify()

    app.addHook('preHandler', async (req, reply) => {
      const isHttps = ((req.headers['x-forwarded-proto'] || '').substring(0, 5) === 'https')
      if (isHttps) {
        return
      }

      const { method, url } = req.req

      if (method && ['GET', 'HEAD'].includes(method)) {
        const host = req.headers.host || req.hostname
        reply.redirect(301, `https://${host}${url}`)
      }
    })

My homepage is currently on Netlify, though; and it don't have to purchase SSL certificate either.

For DigitalOcean, you might use Let's Encrypt.

I believe that the reason to use SSL/TLS, is that HTTP can be intercepted. Not sure how safe it is in localhost. (Of course it is unsafe in 0.0.0.0)

Posted on by:

patarapolw profile

Pacharapol Withayasakpunt

@patarapolw

Currently interested in TypeScript, Vue, Kotlin and Python. Looking forward to learning DevOps, though.

Discussion

pic
Editor guide