alphagov · hannalaakso · Jul 2, 2020 · Jun 22, 2020 · Jun 22, 2020 · Jun 22, 2020
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Unreleased
 
+## Fixes
+
+- [Pull request #913: Fix security issue when running on Glitch](https://github.com/alphagov/govuk-prototype-kit/pull/913)
+
 # 9.8.0 (Feature release)
 
 ## New features

diff --git a/lib/middleware/authentication/authentication.js b/lib/middleware/authentication/authentication.js
@@ -20,7 +20,8 @@ module.exports = function (req, res, next) {
   const config = require('../../../app/config.js')
 
   // Local Variables
-  const env = (process.env.NODE_ENV || 'development').toLowerCase()
+  const glitchEnv = (process.env.PROJECT_REMIX_CHAIN) ? 'production' : false // glitch.com
+  const env = (process.env.NODE_ENV || glitchEnv || 'development').toLowerCase()
   const useAuth = (process.env.USE_AUTH || config.useAuth).toLowerCase()
   const username = process.env.USERNAME
   const password = process.env.PASSWORD

diff --git a/lib/utils.js b/lib/utils.js
@@ -113,7 +113,14 @@ exports.findAvailablePort = function (app, callback) {
 
 // Redirect HTTP requests to HTTPS
 exports.forceHttps = function (req, res, next) {
-  if (req.headers['x-forwarded-proto'] !== 'https') {
+  var protocol = req.headers['x-forwarded-proto']
+  // Glitch returns a comma separated list for x-forwarded-proto
+  // We need the first to determine if running on https
+  if (protocol) {
+    protocol = protocol.split(',').shift()
+  }
+
+  if (protocol !== 'https') {
     console.log('Redirecting request to https')
     // 302 temporary - this is a feature that can be disabled
     return res.redirect(302, 'https://' + req.get('Host') + req.url)

diff --git a/server.js b/server.js
@@ -53,7 +53,8 @@ documentationApp.use(utils.handleCookies(documentationApp))
 
 // Set up configuration variables
 var releaseVersion = packageJson.version
-var env = (process.env.NODE_ENV || 'development').toLowerCase()
+var glitchEnv = (process.env.PROJECT_REMIX_CHAIN) ? 'production' : false // glitch.com
+var env = (process.env.NODE_ENV || glitchEnv || 'development').toLowerCase()
 var useAutoStoreData = process.env.USE_AUTO_STORE_DATA || config.useAutoStoreData
 var useCookieSessionStore = process.env.USE_COOKIE_SESSION_STORE || config.useCookieSessionStore
 var useHttps = process.env.USE_HTTPS || config.useHttps