Express HTTP to HTTPS Redirect Middleware

1.1.4 · abandoned · verified Wed Apr 22

express-http-to-https is a lightweight Node.js package designed to provide an Express.js middleware for automatically redirecting HTTP traffic to HTTPS. This utility focuses on a single concern: ensuring that clients attempting to connect over unencrypted HTTP are seamlessly redirected to the secure HTTPS version of the application. The current stable version is 1.1.4, but the package has not seen active development in approximately eight years, with its last publish occurring in April 2018, indicating it is largely abandoned. Key differentiators include its simplicity and configurable options to ignore specific hostnames (e.g., for local development) or routes, as well as the ability to specify the HTTP redirect status code. It relies on checking the `x-forwarded-proto` header, which is standard when running applications behind a reverse proxy like Nginx or a cloud load balancer. While functional for its core purpose, its lack of recent updates means it might not incorporate modern Express or Node.js features, nor receive security patches.

Common errors

```
ERR_TOO_MANY_REDIRECTS
```
cause Often caused by an infinite redirect loop because the middleware incorrectly believes the request is still HTTP, or `ignoreHosts`/`ignoreRoutes` are misconfigured, or `trust proxy` is not enabled behind a proxy.

fix Ensure `app.enable('trust proxy');` is set if behind a proxy. Double-check `ignoreHosts` and `ignoreRoutes` patterns for correctness, including port numbers for hosts.
```
TypeError: Cannot read property 'redirectToHTTPS' of undefined
```
cause This typically occurs in CommonJS environments when `require('express-http-to-https')` is used without explicitly accessing the named export `redirectToHTTPS`.

fix Change `const redirectToHTTPS = require('express-http-to-https');` to `const redirectToHTTPS = require('express-http-to-https').redirectToHTTPS;`
```
HTTP requests are not redirecting to HTTPS in production
```
cause The most common reason for this when deployed behind a proxy is the lack of `app.enable('trust proxy')`, preventing the middleware from correctly reading the `x-forwarded-proto` header.

fix Add `app.enable('trust proxy');` to your Express application setup before defining any routes or middleware.

Warnings

gotcha When deploying an Express application behind a reverse proxy (like Nginx, Apache, Heroku, AWS ELB/ALB, Google Cloud Load Balancer, etc.), `express-http-to-https` relies on the `x-forwarded-proto` header to determine the original protocol. Express's `app.enable('trust proxy')` setting must be configured for this header to be correctly trusted and processed, otherwise, the middleware may not redirect or may cause redirect loops.
Fix: Add `app.enable('trust proxy');` early in your Express application setup.
gotcha The package has not been actively maintained since its last publish in April 2018. While the core functionality is simple and stable, this means it may not receive updates for compatibility with newer Node.js or Express versions, bug fixes, or potential security vulnerabilities discovered in the future. Evaluate alternatives or vendor the code if long-term maintenance is critical.
Fix: Consider more actively maintained alternatives if continuous updates and support are required, or fork and maintain the package privately.
gotcha Incorrect or overly broad regular expressions for `ignoreHosts` or `ignoreRoutes` can lead to unintended behavior, such as development environments failing to redirect, or secure routes being accidentally exposed over HTTP. Remember that `ignoreHosts` should include the port (e.g., `[/localhost:8080/]`).
Fix: Carefully test `ignoreHosts` and `ignoreRoutes` regex patterns, especially across different environments. Ensure port numbers are included in `ignoreHosts` where applicable.

Install

npm install express-http-to-https npm
yarn add express-http-to-https yarn
pnpm add express-http-to-https pnpm

Imports

redirectToHTTPS
wrong:
```
import redirectToHTTPS from 'express-http-to-https';
```
correct:
```
import { redirectToHTTPS } from 'express-http-to-https';
```
The library exports `redirectToHTTPS` as a named export. ESM usage should destructure it.

redirectToHTTPS

wrong:

const redirectToHTTPS = require('express-http-to-https');

correct:

const redirectToHTTPS = require('express-http-to-https').redirectToHTTPS;

When using CommonJS, `redirectToHTTPS` is a property of the main export object.

Usage as middleware
wrong:
```
app.use(redirectToHTTPS());
```
correct:
```
app.use(redirectToHTTPS([/localhost:(\d{4})/], [//insecure/], 301));
```
While functional without arguments, it's common to pass `ignoreHosts`, `ignoreRoutes`, or `redirectCode` for specific behaviors.

Quickstart

This example demonstrates how to apply the `redirectToHTTPS` middleware to an Express application, showing configuration for ignoring specific hosts and routes, and explicitly enabling 'trust proxy' for deployments behind reverse proxies.

var express = require('express');
var app = express();

var redirectToHTTPS = require('express-http-to-https').redirectToHTTPS;

// Important: Enable 'trust proxy' if running behind a reverse proxy (e.g., Nginx, Heroku, AWS ELB).
// This allows Express to correctly interpret 'x-forwarded-proto' headers.
app.enable('trust proxy');

// Don't redirect if the hostname is `localhost:port` or the route is `/insecure`
app.use(redirectToHTTPS([/localhost:(\d{4})/], [//insecure/], 301));

app.get('/', function (req, res) {
  res.send('Hello World - Secure!');
});

app.get('/insecure', function (req, res) {
  res.send('Dangerous - Insecure Route!');
});

// Listen on HTTP for demonstration of redirect
app.listen(3000, function () {
  console.log('HTTP server listening on port 3000 (will redirect to HTTPS if not ignored)!');
});

// In a real application, you would also run an HTTPS server on port 443
// const https = require('https');
// const fs = require('fs');
// const options = {
//   key: fs.readFileSync('path/to/your/private.key'),
//   cert: fs.readFileSync('path/to/your/certificate.crt')
// };
// https.createServer(options, app).listen(443, function () {
//   console.log('HTTPS server listening on port 443!');
// });

view raw JSON →