Express HTTPS Redirect Middleware

1.0.0 verified Thu Apr 23 auth: no javascript abandoned

express-force-https is an Express.js middleware designed to automatically redirect all incoming HTTP requests to their HTTPS equivalent. First published over a decade ago, its current (and only) stable version is 1.0.0. The middleware specifically checks if a request is already secure; if not, it issues a redirect. A key feature is its built-in exemption for `localhost` requests, preventing redirects during local development. Due to its age and lack of updates, it is considered abandoned and may not be suitable for modern Express applications, especially those deployed behind reverse proxies or load balancers which require specific `X-Forwarded-Proto` header handling. Alternative, more actively maintained solutions are generally recommended for production environments.

Common errors

error TypeError: Cannot read properties of undefined (reading 'secure') ↓

cause The Express `req` object or its `secure` property is not available or is malformed when the middleware is invoked, likely due to an outdated Express version or incorrect middleware order.

fix

Ensure Express is correctly installed and initialized. Upgrade Express to a compatible version. Place app.use(forceHttps) early in your middleware chain.

error Application running on HTTP and not redirecting to HTTPS when deployed behind a proxy. ↓

cause The `express-force-https` middleware relies on `req.secure`, which may not be accurate when the application is behind a reverse proxy or load balancer that handles SSL termination. The proxy might forward HTTP to the Express app, making `req.secure` false.

fix

Add app.set('trust proxy', 1); to your Express application. For more control, consider replacing express-force-https with custom middleware that checks req.headers['x-forwarded-proto'] === 'http'.

error Local development (e.g., `http://localhost:3000`) is unexpectedly redirected to HTTPS. ↓

cause While `express-force-https` is designed to exclude `localhost`, if your development environment uses a custom hostname (e.g., `http://dev.myapp.com`) or a reverse proxy even locally, it might trigger the redirect.

fix

The middleware intentionally skips localhost. For other local development hostnames, explicitly exclude them in your proxy configuration or by adding a conditional check around the middleware in your development environment, e.g., if (process.env.NODE_ENV === 'production') { app.use(forceHttps); }.

Warnings

breaking The package has not been updated in over 10 years and is considered abandoned. It may contain unpatched vulnerabilities or not function correctly with newer Node.js or Express.js versions. ↓

fix Consider using alternative, actively maintained solutions for HTTPS redirection, or implement custom middleware to leverage Express's `req.secure` property or `X-Forwarded-Proto` header check for robust proxy support.

gotcha When running Express behind a reverse proxy (e.g., Nginx, AWS ELB, Heroku, Azure), the `req.secure` property might incorrectly report HTTP even if the client connected via HTTPS to the proxy. This requires configuring `app.set('trust proxy', 1)` in Express and often manually checking the `X-Forwarded-Proto` header. ↓

fix Set `app.set('trust proxy', 1)` in your Express application to correctly interpret proxy headers. For robust proxy detection, it is generally safer to check `req.headers['x-forwarded-proto']` manually.

gotcha The default redirect status code used by `express-force-https` (which relies on Express's `res.redirect`) is typically 302 (Found). For permanent HTTPS enforcement and better SEO, a 301 (Moved Permanently) redirect is usually preferred. ↓

fix To ensure a 301 redirect, implement custom middleware or use an alternative package that allows specifying the status code, e.g., `res.redirect(301, 'https://' + req.headers.host + req.url);`

Install

npm install express-force-https

yarn add express-force-https

pnpm add express-force-https

Imports

secure

wrong

import secure from 'express-force-https';

correct

const secure = require('express-force-https');

This package is CommonJS-only and does not support ES module imports.

Quickstart

Demonstrates how to integrate the express-force-https middleware into a basic Express application to enforce HTTPS redirects for all routes, excluding localhost.

const express = require('express');
const forceHttps = require('express-force-https');

const app = express();

// Use the forceHttps middleware. 
// It should typically be one of the first middlewares to ensure all traffic is secured early.
app.use(forceHttps);

app.get('/', (req, res) => {
  res.send('Hello from the Express server! This page should be served over HTTPS.');
});

app.get('/unsecure-test', (req, res) => {
  res.send('You tried to access this via HTTP, but were redirected to HTTPS!');
});

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
  console.log(`HTTP server running on port ${PORT}. Try visiting http://localhost:${PORT}`);
  console.log('You should be redirected to HTTPS if not on localhost and server is configured for SSL.');
});

// Note: This middleware only handles the redirect. 
// You still need to set up an HTTPS server (e.g., with `https` module) 
// or a reverse proxy (like Nginx) to handle incoming HTTPS requests.