Api Documentation link is HTTP where original request was HTTPS
Closed this issue · 6 comments
I'm requesting https://data-sheets-test.herokuapp.com/ which is a hydra-box app. The link header point to an insecure endpoint for the api docs:
Link: <http://data-sheets-test.herokuapp.com/api>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation"
It should however follow the same scheme which was used for the original request
Hm, I'm looking at the code now and looks like it is indeed correct.
The problem is probably SSL termination done by Heroku. The app is running on HTTP inside the process and Heroku serves it over SSL.
Guess we need a flag to enforce HTTPS link?
Did you set the HTTP header x-forwarded-proto? absolute-url middleware is used to build the full IRI.
Hm, Heroku should be setting the headers X-Forwarded-* headers. The host is correctly substituted but the protocol isn't.
Maybe it's because the middleware performs a 'x-forwarded-proto' in this.headers check but the headers are case-insensitive?
Still a mystery why the other header has the expected effect
Maybe https is already the new default.
Express (or even the Node.js HTTP Server) makes all headers lower cases. For incoming headers it should not be a problem. Anyway the package could get a code cleanup and replace that part with req.get(). Can you make simple app/route, which just dumps the request headers?
Express (or even the Node.js HTTP Server) makes all headers lower cases
sorry, my bad, I mistook this with fetch API
Can you make simple app/route, which just dumps the request headers?
Yea, will add headers to a log message
Closing.
The solution is to call app.enable('trust proxy') or another variant thereof to trust the X-Forwarded-* headers.