{"id":15366623,"url":"https://github.com/turbomack/wai-enforce-https","last_synced_at":"2025-04-15T12:30:06.743Z","repository":{"id":46291818,"uuid":"164339039","full_name":"turboMaCk/wai-enforce-https","owner":"turboMaCk","description":"Enforce HTTPS in Wai server app safely.","archived":false,"fork":false,"pushed_at":"2021-11-01T17:23:29.000Z","size":42,"stargazers_count":13,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-04-25T11:02:19.572Z","etag":null,"topics":["haskell","heroku","https","middleware","reverse-proxies","tls","wai"],"latest_commit_sha":null,"homepage":"","language":"Haskell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/turboMaCk.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-01-06T19:35:07.000Z","updated_at":"2024-01-12T08:06:26.000Z","dependencies_parsed_at":"2022-09-13T17:51:27.168Z","dependency_job_id":null,"html_url":"https://github.com/turboMaCk/wai-enforce-https","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turboMaCk%2Fwai-enforce-https","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turboMaCk%2Fwai-enforce-https/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turboMaCk%2Fwai-enforce-https/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turboMaCk%2Fwai-enforce-https/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/turboMaCk","download_url":"https://codeload.github.com/turboMaCk/wai-enforce-https/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249071893,"owners_count":21208079,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["haskell","heroku","https","middleware","reverse-proxies","tls","wai"],"created_at":"2024-10-01T13:19:19.556Z","updated_at":"2025-04-15T12:30:06.723Z","avatar_url":"https://github.com/turboMaCk.png","language":"Haskell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n \u003ch1\u003eWai Enforce HTTPS\u003c/h1\u003e\n \u003ca href=\"https://travis-ci.org/turboMaCk/wai-enforce-https\"\u003e\n \u003cimg src=\"https://travis-ci.org/turboMaCk/wai-enforce-https.svg?branch=master\" alt=\"build\"\u003e\n \u003c/a\u003e\n \u003cp\u003eSafely enforce HTTPS in wai application\u003c/p\u003e\n\u003c/div\u003e\n\n[Wai](https://hackage.haskell.org/package/wai) middleware enforcing HTTPS protocol on any incoming request.\nIn case of non-encrypted HTTP, traffic is redirected using `301 Permanent Redirect`\nor optionally `307 Temporary Redirect`.\n\nMiddleware has compatibility modes for various reverse proxies (load balancers) and therefore can be used\nwith Heroku, Google Cloud (Ingress), Azure or any other type of PAS or Cloud provider.\n\n## Comparison with ForceSSL\n\n[Wai-Extra](https://hackage.haskell.org/package/wai-extra-3.0.24.3/docs/Network-Wai-Middleware-ForceSSL.html)\npackage comes with `Network.Wai.Middleware.ForceSSL` module exposing middleware intended for the same purpose.\nThere are several practical weaknesses of this implementation compare to one provided by wai-enforce-https.\n\n| Behavior | EnforceHTTPS (wai-enforce-https) | ForceSSL (wai-extra) |\n|---------------------------------|-------------------------------------|----------------------|\n| Redirecting methods by default | `GET`, `HEAD` (by default) | All |\n| Redirect status | `301` (default) or `307` (optional) | `307` |\n| Safe against header spoofing | ✔ yes | ❌ no |\n| Forwarded spec compliant | ✔ yes | ❌ no |\n| Configurable port | ✔ yes | ❌ no |\n| Configurable host | ✔ yes | ❌ no |\n| 405 with `Allow` header support | ✔ yes | ❌ no |\n\nOverall, this package aims to be **secure by default** and **configurable** as much as possible\nto fit any specific needs.\n\n## Forwarded\n\nIn addition to the main functionality (enforcement of HTTPS) this package also\ncomes with module for parsing and encoding [Forwarded](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded)\nHTTP header.\n\n## Examples\n\nThis example is using [warp-tls](https://hackage.haskell.org/package/warp-tls)\nand runs 2 servers:\n\n- HTTP server on port 8080\n- HTTPS server on port 8443\n\nif you open http://127.0.0.1:8080 in browser server returns redirect\nto https://127.0.0.1:8443\n\n```haskell\n{-# LANGUAGE OverloadedStrings #-}\n\nmodule Main where\n\nimport Control.Concurrent (forkIO)\nimport Network.HTTP.Types (status200)\nimport Network.Wai (Application, responseLBS)\nimport Network.Wai.Handler.Warp (defaultSettings, run,\n setPort)\nimport Network.Wai.Handler.WarpTLS (runTLS, tlsSettings)\nimport Network.Wai.Middleware.EnforceHTTPS (EnforceHTTPSConfig (..))\n\nimport qualified Network.Wai.Middleware.EnforceHTTPS as EnforceHTTPS\n\nhandler :: Application\nhandler _ respond =\n respond $ responseLBS status200 [] \"Hello over HTTPS\"\n\nhttpsConf :: EnforceHTTPSConfig\nhttpsConf = EnforceHTTPS.defaultConfig { httpsPort = 8443 }\n\napp :: Application\napp = EnforceHTTPS.withConfig httpsConf handler\n\nmain :: IO ()\nmain = do\n let tls = tlsSettings \"examples/cert.pem\" \"examples/key.pem\"\n _ \u003c- forkIO $ run 8080 app\n runTLS tls (setPort (httpsPort httpsConf) defaultSettings) app\n```\n\nAnother common example is running server behind reverse proxy.\nSay for instance we want to host our app on [Heroku](https://heroku.com)\nwhile using its https support and make sure we\nredirect all HTTP traffic to HTTPS.\nHeroku is forwarding traffic with additional header containing\ninformation about protocol named `x-forwarded-proto`.\n\n```haskell\n{-# LANGUAGE OverloadedStrings #-}\n\nmodule Main where\n\nimport Network.HTTP.Types (status200)\nimport Network.Wai (Application, responseLBS)\nimport Network.Wai.Handler.Warp (runEnv)\n\nimport qualified Network.Wai.Middleware.EnforceHTTPS as EnforceHTTPS\n\nhandler :: Application\nhandler _ respond = respond $\n responseLBS status200 [] \"Hello from behind proxy\"\n\napp :: Application\napp = EnforceHTTPS.withResolver EnforceHTTPS.xForwardedProto handler\n\nmain :: IO ()\nmain = runEnv 8080 app\n```\n\n### Bulding Examples\n\nIn order to run examples project must be build with `examples` flag:\n\n```\n$ cabal build -f examples\n```\n\n\n## Credits\n\nDesign of this library is heavily based on my other project [koa-sslify](https://github.com/turboMaCk/koa-sslify)\nand is based on feedback and work of contributors of this library.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fturbomack%2Fwai-enforce-https","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fturbomack%2Fwai-enforce-https","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fturbomack%2Fwai-enforce-https/lists"}