Why does my worker have no redirect from HTTP to HTTPS, despite fetching and returning an HTTPS website?

Ok, so I made this worker to fetch and return (display) my website. However, when I run it through https://sitecheck.sucuri.net it says there’s a medium-security risk and that there is no redirect from HTTP to HTTPS!

I’ve also provided the workers code (which is below)

addEventListener("fetch", (event) => {
  event.respondWith(
    handleRequest(event.request).catch(
      (err) => new Response(err.stack, { status: 200 })
    )
  );
});

/**
 * Many more examples available at:
 *   https://developers.cloudflare.com/workers/examples
 * @param {Request} request
 * @returns {Promise<Response>}
 */
async function handleRequest(request) {
  const { pathname } = new URL(request.url);

  if (pathname.startsWith("/api")) {
    return new Response(JSON.stringify({ pathname }), {
      headers: { "Content-Type": "application/json" },
    });
  }

  if (pathname.startsWith("/status")) {
    const httpStatusCode = Number(pathname.split("/")[2]);

    return Number.isInteger(httpStatusCode)
      ? fetch("https://aboutrock2.godaddysites.com/" + httpStatusCode)
      : new Response("That's not a valid HTTP status code.");
  }

  return fetch("https://aboutrock2.godaddysites.com/");
}

Do note that I do not have an origin website on my Cloudflare account!
image

Does anyone know what’s wrong and how I can fix this and reduce the security risk on my worker?

Yeah looks like workers.dev doesn’t redirect HTTP to HTTPS. Interesting, I’ll need to check if this is expected behavior.

Worth noting that .dev is on the HSTS preload list meaning clients should always connect over HTTPS so this should never be a problem (just for scanners/automated tools)

Edit: the 404 was me being st00pid, forgot this Worker got moved

What error code?

It’s in my message
image

For all pages or only some?

Again, it’s in my message. I’m just stating what I observed from my curl.

Ok, I know what 404 means but what does 1042 mean?

I just created another worker and it’s also affected!

Here’s the code for the worker

addEventListener("fetch", (event) => {
  event.respondWith(
    handleRequest(event.request).catch(
      (err) => new Response(err.stack, { status: 200 })
    )
  );
});

/**
 * Many more examples available at:
 *   https://developers.cloudflare.com/workers/examples
 * @param {Request} request
 * @returns {Promise<Response>}
 */
async function handleRequest(request) {
  const { pathname } = new URL(request.url);

  if (pathname.startsWith("/api")) {
    return new Response(JSON.stringify({ pathname }), {
      headers: { "Content-Type": "application/json" },
    });
  }

  if (pathname.startsWith("/status")) {
    const httpStatusCode = Number(pathname.split("/")[2]);

    return Number.isInteger(httpStatusCode)
      ? fetch("https://docs.google.com/forms/d/e/1FAIpQLSeiFYZTkffzWW1Ri_iq20R7B7DCorg00j4RM2YYiHWr7rOVaA/viewform" + httpStatusCode)
      : new Response("");
  }

  return fetch("https://docs.google.com/forms/d/e/1FAIpQLSeiFYZTkffzWW1Ri_iq20R7B7DCorg00j4RM2YYiHWr7rOVaA/viewform");
}

Is this occurring because it returns to a google form? (which will be insecure over public WIFI networks or WIFI networks with a weak password)

No… it’s happening because of exactly what I said before… nothing has changed since. I have contacted the team and the point about .dev still stands.

So it is secure, but to automated scanners it shows as insecure due to it being on the HSTS preload list?

For all browsers, it will automatically use HTTPS. A lot of automated tools will not know this and there is no redirect (again, told the team about that part) so yes, these scanners will see an issue but it isn’t representative of an actual browser.

1 Like

So in other words, it’s a false-positive and there really isn’t a security issue?

No, its is not secure. You are allowing a HTTP connection from clients to the server. While modern browsers will not send the request over HTTP (due to HSTS preload on the .dev TLD), legacy browsers will, and you are not performing a redirect to force them over HTTPS.

There are two ways to fix that.

Use a custom domain where you enable Always Use HTTPS, and disable the workers.dev route.

Check the value of request.cf.tlsVersion in your worker, and redirect if it is not using TLS.

2 Likes

image
So it’s a good and up to date TLS version, so what should I do now?

Ok but what about the 1042 error, I noticed that as a mentioned error code in the reply you sent to me (that had the embedded response)? What does error code 1042 mean and how do I fix it?
image

that was from the 404 page because I moved that Worker. The scan thing is still just the HTTP → HTTPS not being done by default. You could do this in your Worker (as Michael said) or see what the team says.

Are you suggesting creating a ticket then posting it here? Note: I only have a free plan so I’d have to email them directly (from my email, not the Cloudflare support page)!

No, I stated before that I asked the team about this already. Just awaiting their response.

1 Like

How long should it take before a response?

However long until they’re free :^)

I will get a response when a member of the team is free, they are busy preparing for next week! Lots to come in the next innovation week :wink:

2 Likes