Parse-dashboard: Enforce https behind proxies

Created on 21 Apr 2016  路  3Comments  路  Source: parse-community/parse-dashboard

At the moment the HTTPS check is pretty simple and doesn't account for platforms where the node app is hosted behind an ssl terminating proxy (heroku for example).

Checking the "X-Forwarded-Proto" header is a good start but as @flovilmart has mentioned, this can easily be spoofed. I'm yet to find a bulletproof solution, so open to suggestions. Here's a quick link dump I've found on what others have done for reference:

Most helpful comment

My preference would be to have the --allowInscureHTTP flag actually just enable the 'trust proxy' setting in Express. That is at least more secure than the current setup. I just want to avoid having beginners enable --allowInsecureHTTP blindly because they just want it to work.

All 3 comments

When not running HTTPS you have the allowInsectureHTTP flag that allows you to trust the incoming request. Your heroku server should not respond to HTTP requests (or redirect them to HTTPS).

My preference would be to have the --allowInscureHTTP flag actually just enable the 'trust proxy' setting in Express. That is at least more secure than the current setup. I just want to avoid having beginners enable --allowInsecureHTTP blindly because they just want it to work.

Agreed!

Was this page helpful?
0 / 5 - 0 ratings