Configure response body for HTTP -> HTTPS redirect

Features
,
1

Currently, the HTTP → HTTPS redirect responds with an HTTPS 301 that contains the original URL in both the location header AND the response body.

For example:

curl -v "http://terravera-dev.netlify.app/store/agora.cgi?cart_id=<SCRIPT>alert(document.domain)</SCRIPT>&xm=on&product=HTML"
* Host terravera-dev.netlify.app:80 was resolved.
* IPv6: 2600:1f18:16e:df01::65, 2600:1f18:16e:df02::65
* IPv4: 100.28.201.155, 34.234.106.80
*   Trying [2600:1f18:16e:df01::65]:80...
* Connected to terravera-dev.netlify.app (2600:1f18:16e:df01::65) port 80
> GET /store/agora.cgi?cart_id=<SCRIPT>alert(document.domain)</SCRIPT>&xm=on&product=HTML HTTP/1.1
> Host: terravera-dev.netlify.app
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/plain; charset=utf-8
< Date: Wed, 21 May 2025 13:44:45 GMT
< Location: https://terravera-dev.netlify.app/store/agora.cgi?cart_id=<SCRIPT>alert(document.domain)</SCRIPT>&xm=on&product=HTML
< Server: Netlify
< X-Nf-Request-Id: 01JVSHDRNSRTZ1PCVH0B59QFE9
< Content-Length: 131
< 
* Connection #0 to host terravera-dev.netlify.app left intact
Redirecting to https://terravera-dev.netlify.app/store/agora.cgi?cart_id=<SCRIPT>alert(document.domain)</SCRIPT>&xm=on&product=HTML

The fact that the original URL is in the response body can cause false positives in security scanning. For example, Tenable Nessus’s plugin 10836 is configured with the following check, which makes a request to /store/agora.cgi?cart_id=<SCRIPT>alert(document.domain)</SCRIPT>&xm=on&product=HTML and checks if the response body includes <SCRIPT>alert(document.domain)</SCRIPT>"

port = get_http_port(default:80);

if ( get_kb_item("www/" + port + "/generic_xss") ) exit(0);

if(get_port_state(port))
{ 
 req = http_get(item:"/store/agora.cgi?cart_id=<SCRIPT>alert(document.domain)</SCRIPT>&xm=on&product=HTML", port:port);
 r = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
 if ( r == NULL ) exit(0);
 if("<SCRIPT>alert(document.domain)</SCRIPT>" >< r)	{
		security_note(port);
	}
}

I agree this check is somewhat crude and should be fixed, but this script hasn’t been touched in decades so not likely. Ideally, there would be a way to configure the response body so security scanners don’t flag this as a potential XSS.

As a point of comparison, Vercel’s HTTP → HTTPS redirect has the response body “Redirecting…”

$ curl http://notion-clone-six-bay.vercel.app
Redirecting...
3

This has been reported in the past as well, but our engineering and security team considered this to not be a real vulnerability, so the issue was closed.