Copyright	(c) Marek Fajkus
License	BSD3
Maintainer	marek.faj@gmail.com
Safe Haskell	None
Language	Haskell2010

Network.Wai.Middleware.EnforceHTTPS

Description

Wai Middleware for enforcing encrypted HTTPS connection safely.

This module is intended to be imported qualified

import qualified Network.Wai.Middleware.EnforceHTTPS as EnforceHTTPS

Synopsis

def :: Middleware
withResolver :: HTTPSResolver -> Middleware
xForwardedProto :: HTTPSResolver
azure :: HTTPSResolver
forwarded :: HTTPSResolver
customProtoHeader :: ByteString -> HTTPSResolver
data EnforceHTTPSConfig = EnforceHTTPSConfig {
- httpsIsSecure :: HTTPSResolver
- httpsHostname :: Maybe ByteString
- httpsPort :: Int
- httpsIgnoreURL :: Bool
- httpsTemporary :: Bool
- httpsSkipDefaultPort :: Bool
- httpsRedirectMethods :: [Method]
- httpsDisallowStatus :: Status
}
defaultConfig :: EnforceHTTPSConfig
withConfig :: EnforceHTTPSConfig -> Middleware

Documentation

def :: Middleware Source #

Middleware with default configuration. See defaultConfig for more details.

withResolver :: HTTPSResolver -> Middleware Source #

Construct middleware with provided Resolver See Resolver section for information.

xForwardedProto :: HTTPSResolver Source #

Resolver checking value of x-forwarded-proto HTTP header. This header is for instance used by Heroku or GCP Ingress among many others.

Request is secure if value of header is https otherwise request is considered not being secure.

azure :: HTTPSResolver Source #

Azure is proxying with additional `x-arr-ssl` header if original protocol is HTTPS. This resolver checks for the presence of this header.

forwarded :: HTTPSResolver Source #

Forwarded HTTP header is relatively new standard which should replaced all x-* adhoc headers by standardized one. This resolver is using proto=foo part of the header and check for equality with https value.

More information can be found on MDN Complete implementation of Forwarded is located in Network.HTTP.Forwarded module

customProtoHeader :: ByteString -> HTTPSResolver Source #

Some reverse proxies (Kong) are using values similar to x-forwarded-proto but are using different headers. This resolver allows you to specify name of header which should be used for the check. Like xForwardedProto, request is considered as being secure if value of header is https.

data EnforceHTTPSConfig Source #

Configuration

EnforceHTTPSConfig does export constructor which should not collide with ny other functions and therefore can be exposed in import

import Network.Wai.Middleware.EnforceHTTPS (EnforceHTTPSConfig(..))

Default configuration is recommended but you're free to override any default value if you need to.

Configuration of httpsIsSecure can be set using withResolver function which is preferred way for overwriting default Resolver .

Constructors

EnforceHTTPSConfig
Fields httpsIsSecure :: HTTPSResolver httpsHostname :: Maybe ByteString httpsPort :: Int httpsIgnoreURL :: Bool httpsTemporary :: Bool httpsSkipDefaultPort :: Bool httpsRedirectMethods :: [Method] httpsDisallowStatus :: Status

defaultConfig :: EnforceHTTPSConfig Source #

Default Configuration Default resolver is proxy to Network.Wai.isSecure function

uses request Host header information to resolve hostname
standard HTTPS port 443
redirect includes path and url params
uses permanent redirect (301)
doesn't include port in Location header id port is 443
redirects GET and HEAD methods
all other methods are resolved with 405 (Method not Allowed) and with appropriate Allowed header

withConfig :: EnforceHTTPSConfig -> Middleware Source #

Construct Middleware for specific EnforceHTTPSConfig