Default protocol should be HTTPS not HTTP

Question

Default protocol should be HTTPS not HTTP

Closed this issue 3 years ago · 4 comments

TotallyInformation commented 3 years ago

It is very dangerous to have the default set to http and will lead people to thinking that they have a secure connection when they do not.

Answer 1 · 2021-05-20T08:30:06.000Z

Can you clarify where this default is set?

Answer 2 · 2021-05-27T11:35:19.000Z

In the connect options

https://www.npmjs.com/package/ngrok#options

Answer 3 · 2021-05-27T14:32:28.000Z

That option is for what ngrok exposes to the outside world, in the case of it being set to http it means that ngrok accepts an http OR https connection based on the hostname and then forwards it to the client via an encrypted tunnel.
The other option in there is TCP which is if you want to use ngrok to forward a raw TCP connection to you again via the secure tunnel.
There is a TLS optionin ngrok if you are providing your own TLS cert on the client end but this isn't exposed through the node and I don't see any demand for it, there is also a significant amount of extra coinfiguration in providing the certificates.

In the latest version you now have the option of binding which allows you to force ngrok to serve the public url over http, https or both, the default being both and then it is down to the client making the request to choose the secure url, by default the url we output from the node though is the https version where both are set.

Answer 4 · 2021-06-04T14:35:07.000Z

Gonna close this as 2.0.0 has had a fairly major overhaul, there's nothing that defaults to plain HTTP only.