{"id":17609,"library":"express-force-https","title":"Express HTTPS Redirect Middleware","description":"express-force-https is an Express.js middleware designed to automatically redirect all incoming HTTP requests to their HTTPS equivalent. First published over a decade ago, its current (and only) stable version is 1.0.0. The middleware specifically checks if a request is already secure; if not, it issues a redirect. A key feature is its built-in exemption for `localhost` requests, preventing redirects during local development. Due to its age and lack of updates, it is considered abandoned and may not be suitable for modern Express applications, especially those deployed behind reverse proxies or load balancers which require specific `X-Forwarded-Proto` header handling. Alternative, more actively maintained solutions are generally recommended for production environments.","status":"abandoned","version":"1.0.0","language":"javascript","source_language":"en","source_url":"git://github.com/njam3/express-force-https","tags":["javascript","express,","middleware,","https,","force"],"install":[{"cmd":"npm install express-force-https","lang":"bash","label":"npm"},{"cmd":"yarn add express-force-https","lang":"bash","label":"yarn"},{"cmd":"pnpm add express-force-https","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This package is CommonJS-only and does not support ES module imports.","wrong":"import secure from 'express-force-https';","symbol":"secure","correct":"const secure = require('express-force-https');"}],"quickstart":{"code":"const express = require('express');\nconst forceHttps = require('express-force-https');\n\nconst app = express();\n\n// Use the forceHttps middleware. \n// It should typically be one of the first middlewares to ensure all traffic is secured early.\napp.use(forceHttps);\n\napp.get('/', (req, res) => {\n  res.send('Hello from the Express server! This page should be served over HTTPS.');\n});\n\napp.get('/unsecure-test', (req, res) => {\n  res.send('You tried to access this via HTTP, but were redirected to HTTPS!');\n});\n\nconst PORT = process.env.PORT || 3000;\napp.listen(PORT, () => {\n  console.log(`HTTP server running on port ${PORT}. Try visiting http://localhost:${PORT}`);\n  console.log('You should be redirected to HTTPS if not on localhost and server is configured for SSL.');\n});\n\n// Note: This middleware only handles the redirect. \n// You still need to set up an HTTPS server (e.g., with `https` module) \n// or a reverse proxy (like Nginx) to handle incoming HTTPS requests.","lang":"javascript","description":"Demonstrates how to integrate the express-force-https middleware into a basic Express application to enforce HTTPS redirects for all routes, excluding localhost."},"warnings":[{"fix":"Consider using alternative, actively maintained solutions for HTTPS redirection, or implement custom middleware to leverage Express's `req.secure` property or `X-Forwarded-Proto` header check for robust proxy support.","message":"The package has not been updated in over 10 years and is considered abandoned. It may contain unpatched vulnerabilities or not function correctly with newer Node.js or Express.js versions.","severity":"breaking","affected_versions":">=1.0.0"},{"fix":"Set `app.set('trust proxy', 1)` in your Express application to correctly interpret proxy headers. For robust proxy detection, it is generally safer to check `req.headers['x-forwarded-proto']` manually.","message":"When running Express behind a reverse proxy (e.g., Nginx, AWS ELB, Heroku, Azure), the `req.secure` property might incorrectly report HTTP even if the client connected via HTTPS to the proxy. This requires configuring `app.set('trust proxy', 1)` in Express and often manually checking the `X-Forwarded-Proto` header.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"To ensure a 301 redirect, implement custom middleware or use an alternative package that allows specifying the status code, e.g., `res.redirect(301, 'https://' + req.headers.host + req.url);`","message":"The default redirect status code used by `express-force-https` (which relies on Express's `res.redirect`) is typically 302 (Found). For permanent HTTPS enforcement and better SEO, a 301 (Moved Permanently) redirect is usually preferred.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-23T00:00:00.000Z","next_check":"2026-07-22T00:00:00.000Z","problems":[{"fix":"Ensure Express is correctly installed and initialized. Upgrade Express to a compatible version. Place `app.use(forceHttps)` early in your middleware chain.","cause":"The Express `req` object or its `secure` property is not available or is malformed when the middleware is invoked, likely due to an outdated Express version or incorrect middleware order.","error":"TypeError: Cannot read properties of undefined (reading 'secure')"},{"fix":"Add `app.set('trust proxy', 1);` to your Express application. For more control, consider replacing `express-force-https` with custom middleware that checks `req.headers['x-forwarded-proto'] === 'http'`.","cause":"The `express-force-https` middleware relies on `req.secure`, which may not be accurate when the application is behind a reverse proxy or load balancer that handles SSL termination. The proxy might forward HTTP to the Express app, making `req.secure` false.","error":"Application running on HTTP and not redirecting to HTTPS when deployed behind a proxy."},{"fix":"The middleware intentionally skips `localhost`. For other local development hostnames, explicitly exclude them in your proxy configuration or by adding a conditional check around the middleware in your development environment, e.g., `if (process.env.NODE_ENV === 'production') { app.use(forceHttps); }`.","cause":"While `express-force-https` is designed to exclude `localhost`, if your development environment uses a custom hostname (e.g., `http://dev.myapp.com`) or a reverse proxy even locally, it might trigger the redirect.","error":"Local development (e.g., `http://localhost:3000`) is unexpectedly redirected to HTTPS."}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}