Force production traffic via HTTPS

[idmarjr]

Summary

Currently we have a SSL certificate generated via Let's encrypt using the automatic setup from Heroku. This meas if you access https://app.brmodeloweb.com your connection is encrypted and you're safe.

The problem here is: Heroku does not force users access via HTTP to be redirected to HTTPS. This means we have a security breach where users are able to login to the app via unencrypted connection, possibly exposing their data in a man-in-the-middle attack.

Solution

Based in the Heroku documentation (Can Heroku force an application to use SSL/TLS?):

You have configured an SSL certificate and now you want your application to use https for all requests.
Resolution

Redirects need to be performed at the application level as the Heroku router does not provide this functionality. You should code the redirect logic into your application.

Under the hood, Heroku router (over)writes the X-Forwarded-Proto and the X-Forwarded-Port request headers. The app must check X-Forwarded-Proto and respond with a redirect response when it is not https but http.

This means we need to handle traffic redirect in an application level. There are multiple packages available in NPM that can help us to handle this.

Reference links

• Can Heroku force an application to use SSL/TLS? - heroku Help
• How to enforce https(redirect http to https) on heroku deployed apps. (i.e work with react-boilerplate) - Medium
• How to make heroku redirect to https? (PERN app) - r/Heroku