{"id":17225,"library":"express-http-to-https","title":"Express HTTP to HTTPS Redirect Middleware","description":"express-http-to-https is a lightweight Node.js package designed to provide an Express.js middleware for automatically redirecting HTTP traffic to HTTPS. This utility focuses on a single concern: ensuring that clients attempting to connect over unencrypted HTTP are seamlessly redirected to the secure HTTPS version of the application. The current stable version is 1.1.4, but the package has not seen active development in approximately eight years, with its last publish occurring in April 2018, indicating it is largely abandoned. Key differentiators include its simplicity and configurable options to ignore specific hostnames (e.g., for local development) or routes, as well as the ability to specify the HTTP redirect status code. It relies on checking the `x-forwarded-proto` header, which is standard when running applications behind a reverse proxy like Nginx or a cloud load balancer. While functional for its core purpose, its lack of recent updates means it might not incorporate modern Express or Node.js features, nor receive security patches.","status":"abandoned","version":"1.1.4","language":"javascript","source_language":"en","source_url":"https://github.com/SegFaultx64/express-http-to-https","tags":["javascript"],"install":[{"cmd":"npm install express-http-to-https","lang":"bash","label":"npm"},{"cmd":"yarn add express-http-to-https","lang":"bash","label":"yarn"},{"cmd":"pnpm add express-http-to-https","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"This package provides an Express.js middleware and requires Express to function.","package":"express","optional":false}],"imports":[{"note":"The library exports `redirectToHTTPS` as a named export. ESM usage should destructure it.","wrong":"import redirectToHTTPS from 'express-http-to-https';","symbol":"redirectToHTTPS","correct":"import { redirectToHTTPS } from 'express-http-to-https';"},{"note":"When using CommonJS, `redirectToHTTPS` is a property of the main export object.","wrong":"const redirectToHTTPS = require('express-http-to-https');","symbol":"redirectToHTTPS","correct":"const redirectToHTTPS = require('express-http-to-https').redirectToHTTPS;"},{"note":"While functional without arguments, it's common to pass `ignoreHosts`, `ignoreRoutes`, or `redirectCode` for specific behaviors.","wrong":"app.use(redirectToHTTPS());","symbol":"Usage as middleware","correct":"app.use(redirectToHTTPS([/localhost:(\\d{4})/], [//insecure/], 301));"}],"quickstart":{"code":"var express = require('express');\nvar app = express();\n\nvar redirectToHTTPS = require('express-http-to-https').redirectToHTTPS;\n\n// Important: Enable 'trust proxy' if running behind a reverse proxy (e.g., Nginx, Heroku, AWS ELB).\n// This allows Express to correctly interpret 'x-forwarded-proto' headers.\napp.enable('trust proxy');\n\n// Don't redirect if the hostname is `localhost:port` or the route is `/insecure`\napp.use(redirectToHTTPS([/localhost:(\\d{4})/], [//insecure/], 301));\n\napp.get('/', function (req, res) {\n  res.send('Hello World - Secure!');\n});\n\napp.get('/insecure', function (req, res) {\n  res.send('Dangerous - Insecure Route!');\n});\n\n// Listen on HTTP for demonstration of redirect\napp.listen(3000, function () {\n  console.log('HTTP server listening on port 3000 (will redirect to HTTPS if not ignored)!');\n});\n\n// In a real application, you would also run an HTTPS server on port 443\n// const https = require('https');\n// const fs = require('fs');\n// const options = {\n//   key: fs.readFileSync('path/to/your/private.key'),\n//   cert: fs.readFileSync('path/to/your/certificate.crt')\n// };\n// https.createServer(options, app).listen(443, function () {\n//   console.log('HTTPS server listening on port 443!');\n// });","lang":"javascript","description":"This example demonstrates how to apply the `redirectToHTTPS` middleware to an Express application, showing configuration for ignoring specific hosts and routes, and explicitly enabling 'trust proxy' for deployments behind reverse proxies."},"warnings":[{"fix":"Add `app.enable('trust proxy');` early in your Express application setup.","message":"When deploying an Express application behind a reverse proxy (like Nginx, Apache, Heroku, AWS ELB/ALB, Google Cloud Load Balancer, etc.), `express-http-to-https` relies on the `x-forwarded-proto` header to determine the original protocol. Express's `app.enable('trust proxy')` setting must be configured for this header to be correctly trusted and processed, otherwise, the middleware may not redirect or may cause redirect loops.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Consider more actively maintained alternatives if continuous updates and support are required, or fork and maintain the package privately.","message":"The package has not been actively maintained since its last publish in April 2018. While the core functionality is simple and stable, this means it may not receive updates for compatibility with newer Node.js or Express versions, bug fixes, or potential security vulnerabilities discovered in the future. Evaluate alternatives or vendor the code if long-term maintenance is critical.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Carefully test `ignoreHosts` and `ignoreRoutes` regex patterns, especially across different environments. Ensure port numbers are included in `ignoreHosts` where applicable.","message":"Incorrect or overly broad regular expressions for `ignoreHosts` or `ignoreRoutes` can lead to unintended behavior, such as development environments failing to redirect, or secure routes being accidentally exposed over HTTP. Remember that `ignoreHosts` should include the port (e.g., `[/localhost:8080/]`).","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Ensure `app.enable('trust proxy');` is set if behind a proxy. Double-check `ignoreHosts` and `ignoreRoutes` patterns for correctness, including port numbers for hosts.","cause":"Often caused by an infinite redirect loop because the middleware incorrectly believes the request is still HTTP, or `ignoreHosts`/`ignoreRoutes` are misconfigured, or `trust proxy` is not enabled behind a proxy.","error":"ERR_TOO_MANY_REDIRECTS"},{"fix":"Change `const redirectToHTTPS = require('express-http-to-https');` to `const redirectToHTTPS = require('express-http-to-https').redirectToHTTPS;`","cause":"This typically occurs in CommonJS environments when `require('express-http-to-https')` is used without explicitly accessing the named export `redirectToHTTPS`.","error":"TypeError: Cannot read property 'redirectToHTTPS' of undefined"},{"fix":"Add `app.enable('trust proxy');` to your Express application setup before defining any routes or middleware.","cause":"The most common reason for this when deployed behind a proxy is the lack of `app.enable('trust proxy')`, preventing the middleware from correctly reading the `x-forwarded-proto` header.","error":"HTTP requests are not redirecting to HTTPS in production"}],"ecosystem":"npm","meta_description":null}