Is there a potential data leak when redirecting from http to https?

Question

I have the following code in my Fastify server hosted on Heroku:

this.server.addHook('preHandler', async(req, reply) => {
  const isHttps = req.headers['x-forwarded-proto'] === 'https';
  if (isHttps) {
    return;
  }

  const {
    method,
    url
  } = req;

  if (method && ['GET', 'HEAD'].includes(method)) {
    const host = req.headers.host || req.hostname;
    reply.redirect(301, `https://${host}${url}`);
  }
});

The idea is to prevent access to the server through HTTP and force redirection to HTTPS at the application-level, since it is not possible otherwise on Heroku.

My question is: if the first request to the server via HTTP (before the redirection happens) contains sensitive information such as a username/password, wouldn't that still be "dangerous" or compromising somehow?

Mohamed Sohail · Answer 1 · 2020-09-21T09:34:50.600

1

You have probably mis-configured something on Heroku.

Heroku domains (.herokuapp.com) are by default HTTPS enabled. The same page has a guide for custom domain SSL setup guide. Since you are talking about (username + password), I am going to assume this is a website. All you need to do is setup CORS with fastify-cors. Your website should ALWAYS be served over HTTPS.

Also you should not use the logic above. Fastify isn't meant to be used as a proxy server. The docs strongly suggest using a front-facing proxy server like nginx. With Heroku you don't need all these. It already handles this for you.

In the future you could also use Cloudflare as a "proxy server" outside Heroku.

edited Sep 21 '20 at 09:34

answered Sep 21 '20 at 09:27

Mohamed Sohail

1,659
12
23

All I'm saying is that the person calling the API (exposed by Fastify) may choose to send the data over HTTP at first. – Sammy Sep 21 '20 at 13:58
1

Yes, data will be exposed. – Mohamed Sohail Sep 22 '20 at 04:12

Is there a potential data leak when redirecting from http to https?

1 Answers1