Force https in production (deployment) #1409

New issue

Closed

firaskrichi

Is there a way to force the app to use https ?

tbillington

It's pretty unrelated. That's config on the server, not the running code.

If you don't want your code to work in non https you could check that the url starts with https and display some kind of error if it doesn't, but really you want to be configuring your server to redirect http to https.

Reanmachine

Create React App doesn't handle the server in production. It generates a static file structure that can be served by anything.

If you're using the reccomendation in CRA of pushstate-server then you need to read about adding https to connect because pushstate-server uses connect and you'll want to create a small server.js to instantiate it programatically.

Edit: It seems pushstate-server is really basic, if you're using this in lieu of a daemon (Apache/nginx/etc..) or a custom server script to server your static content you probably cannot get HTTPS support in pushstate-server as the author doesn't seem interested in supporting it.

I would recommend writing a really simple https/connect server or even express/koa/hapi to support the http -> https rewrite & serving the static files on the https port only.

Timer

Contributor

I haven't tested this, but if configuring the server to do this isn't an option, you may try something like this (in your index.js; first line(s) of the file):

if (window.location.protocol !== 'https:') {
  window.location = 'https:' + window.location.href.substring(window.location.protocol.length)
  return // to stop app from mounting
}

This, however, defeats the purpose of preventing against a MITM attack if a malicious entity wanted to disguise your website as a whole. I wouldn't use it if I were you.

Reanmachine

@Timer That defeats the purpose of HTTPS enforcement, as the entire package (including the javascript) will be delivered over tamperable HTTP. Also, if the server isn't configured to serve over https then it will redirect to an url that won't connect as the server isn't listening on 443.

This is something that has to be solved at the server level (and thus not a CRA concern), the server should enforce the transition to prevent the client from receiving the app over http.

Timer

Contributor

I'm aware of those implications @Reanmachine (and I would never do it that way, personally), but I was just offering the option.
Thus why I wrote "This, however, defeats the purpose of preventing against a MITM attack if a malicious entity wanted to disguise your website as a whole. I wouldn't use it if I were you."

Reanmachine

Sorry @Timer I must have missed that when reading your response.