If you use the core force-ssl package with wildcard subdomains all pointing to the same server, then when navigating to http://demo.example.com, you’ll get redirected to https://example.com (assuming you started your app instance with ROOT_URL="https://example.com").
That’s not good if you’re detecting the subdomain in app code and serving up different content based on that.
In the last commit to the force-ssl package, the following change was made:
var host = req.headers.host || 'no-host-header';
was replaced with
var host = url.parse(Meteor.absoluteUrl()).hostname;
By forking the package and changing that line back to the original, I can get http://demo.example.com to redirect to https://demo.example.com.
So there is a working solution, but I’m not entirely happy with having to hack the package source. From the code comments before that change (below), it appears there was a good reason for making the change:
// if we don't have a host header, there's not a lot we can do. We
// don't know how to redirect them.
// XXX can we do better here?
Actually, this is implemented because of a security issue. We should not trust host header. If we do this, someone can deface our web app with force-ssl.
If you need a custom solution, you need to remove force-ssl package and try to implement something similar. In that also, don’t trust the host header. Do some validations.
Is the security issue mentioned essentially that they could inject code into the req.headers.host variable and have that run on the server? Or is it just that they could spoof the value?
No it’s not something like that. I’m quite not remember the exact case.
But, someone can change the host header before it reaches the server. There are plenty of ways to do that.