esm.sh Redirect @latest switches from https to http

hi, i'm using the docker image.

when using https://..../react@latest i'm getting a 302 with new location http://.../[email protected].... how can i change the behavior to stay on https://....?

Dec 13 '24 13:12 de-peter

I'm also having this issue on kubernetes setup. It seems that the 302 redirect with http location is causing the real resource to fail loading with "CORS Missing Allow Origin". Maybe there's some Istio magic I could do, but it would really help if ESM.sh could return https location.

Feb 12 '25 16:02 andi4000

Looking at the implementation here: https://github.com/esm-dev/esm.sh/blob/0c43d47346bb7fc944521bf79619297f97610441/server/router.go#L1789-L1803

Our "hack" is to add CF-Visitor: '{"scheme": "https"}' header to the request, before forwarding it to the ESM container, so that ESM returns https location.

Works with semver request like https://host/pkg@latest and https://host/pkg@^1.

Feb 12 '25 17:02 andi4000

I'm thinking of adding an option for it.

Feb 13 '25 04:02 ije

Yup, this is quite surprising and took some time to debug :)

Feb 14 '25 14:02 black-snow

i've tried your hack. but imports to css didn't work. they answer with 302 found and a location target with http://...

i'm on azure and tried to add the header via application gateway. any ideas?

PS: Custom header CF-Visitor Header value {"scheme": "https"}

Feb 19 '25 05:02 de-peter

you can simply add the X-Real-Origin header with "https://your-company.com" or use cloudflare

Feb 19 '25 06:02 ije

that did the "trick". great. thanks

Feb 19 '25 07:02 de-peter

Ran into this issue today and resolved it with the CF-Visitor header. Wondering if it makes sense to check for the Forwarded and/or X-Forwarded-Proto headers as those seem to be fairly standard for reverse proxies / load balancers

Mar 29 '25 04:03 nicky9door