force-ssl

Source code of released version | Source code of development version

Purpose

This package, part of Webapp, causes Meteor to redirect insecure connections (HTTP) to a secure URL (HTTPS). Use this package to ensure that communication to the server is always encrypted to protect users from active spoofing attacks.

Meteor bundles (i.e. meteor build) do not include an HTTPS server or certificate. A proxy server that terminates SSL in front of a Meteor bundle must set the x-forwarded-proto or forwarded (RFC 7239) header for this package to work.

The x-forwarded-proto or forwarded header is used to determine if the connection arrived over HTTPS and a heuristic is used to guess if it's running in development. To simplify development, unencrypted connections from localhost are always accepted over HTTP.

We recommend this package only for deployment platforms that do not have their own ability to force SSL. If you're deploying with Galaxy, you should instead use the "Force HTTPS" setting (on the specific domain in the "Domains & Encryption" section of your application's "Settings" tab). If you're using another deployment platform, you should attempt to provide this redirection on the proxy which terminates your SSL (e.g. HAProxy, nginx, etc.), outside of Meteor and without this package.