How to detect HTTPS redirection on Azure Websites?

Question

As per the title, I have a Node.js application and I want to be able to detect whether a request is being made over HTTPS or HTTP. So far my redirection looks like this:

// Ensure the page is secure, or that we are running a development build
if (req.headers['x-forwarded-proto'] === 'https' || process.env.NODE_ENV === 'development') {
    res.render('index');
} else {
    winston.info('Request for login page made over HTTP, redirecting to HTTPS');
    res.redirect('https://' + req.host);
}

Which works fine on Nodejitsu, but a redirected HTTPS request doesn't have the 'x-forwarded-proto' header set on Azure.

Answer 1

I think I was correct in my comment:

X-ARR-SSL seems to be the header to check for.

// Ensure the page is secure, or that we are running a development build
if (req.headers['x-forwarded-proto'] === 'https' || req.headers['x-arr-ssl'] || process.env.NODE_ENV === 'development') {
    res.render('index');
} else {
    winston.info('Request for login page made over HTTP, redirecting to HTTPS');
    res.redirect('https://' + req.host);
}

Answer 2

Ran into the exact same issue, but solved it in a different way. If you're using Express and enable trust proxy then req.protocol will pick up the x-forwarded-proto header. Azure doesn't set the x-forwarded-proto header, but you can use the x-arr-ssl header to hack it in manually so that req.protocol will return the correct value in the rest of your app.

Here's a gist: https://gist.github.com/freshlogic/6348417

var express = require('express');

var app = express();
app.enable('trust proxy');

// HACK: Azure doesn't support X-Forwarded-Proto so we add it manually
app.use(function(req, res, next) {
    if(req.headers['x-arr-ssl'] && !req.headers['x-forwarded-proto']) {
        req.headers['x-forwarded-proto'] = 'https';
    }

    return next();
});

Answer 3

UPDATE-2021: This is a very old answer. For a long time there is an option on all app service plans that support Custom domains. Go to the Custom domains blade in the azure portal for the App Service and set the HTTPS only checkbox. This will redirect even before traffic hits the app service.