Source code of released version | Source code of development version
This package, part of Webapp, causes Meteor to redirect insecure connections (HTTP) to a secure URL (HTTPS). Use this package to ensure that communication to the server is always encrypted to protect users from active spoofing attacks.
Meteor bundles (i.e.
meteor build) do not include an HTTPS server or
certificate. A proxy server that terminates SSL in front of a Meteor
bundle must set the
(RFC 7239) header for this package to
forwarded header is used to determine if the
connection arrived over HTTPS and a heuristic is used to guess if it's running
in development. To simplify development, unencrypted connections from
localhost are always accepted over HTTP.
We recommend this package only for deployment platforms that do not have their own ability to force SSL. If you're deploying with Galaxy, you should instead use the "Force HTTPS" setting (on the specific domain in the "Domains & Encryption" section of your application's "Settings" tab). If you're using another deployment platform, you should attempt to provide this redirection on the proxy which terminates your SSL (e.g. HAProxy, nginx, etc.), outside of Meteor and without this package.