From c29724c170cf19c620ddbb33850430548275c8c5 Mon Sep 17 00:00:00 2001
From: anshul23102 <anshul23102@iiitd.ac.in>
Date: Thu, 4 Jun 2026 02:59:52 +0530
Subject: [PATCH] Add HTTPS enforcement middleware for production deployments
 (Issue #701)

Implement automatic HTTP to HTTPS redirection in production environments. This ensures that all credentials and sensitive data are transmitted only over encrypted HTTPS connections, preventing man-in-the-middle attacks and credential leaks.

Changes:
- Create httpsRedirect middleware that checks x-forwarded-proto header
- Redirect HTTP requests to HTTPS in production
- Add middleware to server.js before other routes
- Handles reverse proxy scenarios (Netlify, Heroku, etc.)

Fixes #701
---
 backend/middleware/httpsRedirect.js | 10 ++++++++++
 backend/server.js                   |  4 ++++
 2 files changed, 14 insertions(+)
 create mode 100644 backend/middleware/httpsRedirect.js

diff --git a/backend/middleware/httpsRedirect.js b/backend/middleware/httpsRedirect.js
new file mode 100644
index 00000000..b3e4ab84
--- /dev/null
+++ b/backend/middleware/httpsRedirect.js
@@ -0,0 +1,10 @@
+const httpsRedirect = (req, res, next) => {
+  if (process.env.NODE_ENV === 'production') {
+    if (req.header('x-forwarded-proto') !== 'https') {
+      return res.redirect(301, `https://${req.header('host')}${req.url}`);
+    }
+  }
+  next();
+};
+
+module.exports = httpsRedirect;
diff --git a/backend/server.js b/backend/server.js
index 48d6ccfb..73218cf7 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -10,9 +10,13 @@ const cors = require('cors');
 require('./config/passportConfig');
 
 const logger = require('./logger');
+const httpsRedirect = require('./middleware/httpsRedirect');
 
 const app = express();
 
+// HTTPS enforcement (must be before other middleware)
+app.use(httpsRedirect);
+
 // CORS configuration
 const allowedOrigins = ['http://localhost:5173', 'https://github-spy.etlify.app'];
 app.use(cors({