Add HTTPS enforcement middleware for production deployments (Issue #701)

anshul23102 · anshul23102 · commit c29724c170cf · 2026-06-04T02:59:52.000+05:30
Implement automatic HTTP to HTTPS redirection in production environments. This ensures that all credentials and sensitive data are transmitted only over encrypted HTTPS connections, preventing man-in-the-middle attacks and credential leaks. Changes: - Create httpsRedirect middleware that checks x-forwarded-proto header - Redirect HTTP requests to HTTPS in production - Add middleware to server.js before other routes - Handles reverse proxy scenarios (Netlify, Heroku, etc.) Fixes #701
diff --git a/backend/middleware/httpsRedirect.js b/backend/middleware/httpsRedirect.js
@@ -0,0 +1,10 @@
+const httpsRedirect = (req, res, next) => {
+  if (process.env.NODE_ENV === 'production') {
+    if (req.header('x-forwarded-proto') !== 'https') {
+      return res.redirect(301, `https://${req.header('host')}${req.url}`);
+    }
+  }
+  next();
+};
+
+module.exports = httpsRedirect;
diff --git a/backend/server.js b/backend/server.js
@@ -10,9 +10,13 @@ const cors = require('cors');
 require('./config/passportConfig');
 
 const logger = require('./logger');
+const httpsRedirect = require('./middleware/httpsRedirect');
 
 const app = express();
 
+// HTTPS enforcement (must be before other middleware)
+app.use(httpsRedirect);
+
 // CORS configuration
 const allowedOrigins = ['http://localhost:5173', 'https://github-spy.etlify.app'];
 app.use(cors({
