Enable SSL by default (#119)

* Changes to app.yaml, package.json. and server.js, to enable SSL by default. Added express-sslify dependency to ensure HSTS, and helmet dependency, to be aligned with expressjs security best practices.

* Removing condition for tasks API on server.js file.

Author: demianrenzulli

amp-pwa-reader/app.yaml

@@ -1,2 +1,7 @@
 env: flex
 runtime: nodejs
+
+handlers:
+  - url: /.*
+    script: IGNORED
+    secure: always

amp-pwa-reader/package.json

@@ -13,6 +13,7 @@
     "connect-history-api-fallback": "*",
     "del": "*",
     "express": "^4.16.2",
+    "express-sslify": "^1.2.0",
     "gulp": "github:gulpjs/gulp#4.0",
     "gulp-autoprefixer": "*",
     "gulp-concat": "*",
@@ -24,6 +25,7 @@
     "gulp-sass": "*",
     "gulp-sourcemaps": "*",
     "gulp-uglify": "*",
+    "helmet": "^3.12.1",
     "memory-cache": "^0.2.0",
     "request": "^2.81.0",
     "uglify-es": "*",

amp-pwa-reader/src/server/server.js

@@ -20,10 +20,22 @@ const fs = require('fs');
 const path = require('path');
 const memCache = require('memory-cache');
 const pubBackend = require('./Backend.js');
+const enforce = require('express-sslify');
+const helmet = require('helmet');
+
+const ENVIRONMENT_PRODUCTION = 'production';
 
 const app = express();
 const pub = new pubBackend();
 
+app.use(helmet());
+
+if (app.get('env') === ENVIRONMENT_PRODUCTION) {
+    app.use((req, res, next) => {
+        enforce.HTTPS({ trustProtoHeader: true })(req, res, next);
+    });
+}
+
 // how long (in seconds) to cache requests for main feed and for any article
 const cacheDurations = {feed: 600, article: 3600};
 const feedURL = 'https://query.yahooapis.com/v1/public/yql';