zero-http 0.2.0 → 0.2.1

package/documentation/public/vendor/icons/compress.svg

@@ -0,0 +1,27 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" width="64" height="64" aria-hidden="true">
+  <defs>
+    <linearGradient id="g-comp" x1="0" x2="1">
+      <stop offset="0" stop-color="#7b61ff"/>
+      <stop offset="1" stop-color="#3ec6ff"/>
+    </linearGradient>
+  </defs>
+  <rect width="64" height="64" rx="8" fill="transparent"/>
+  <!-- Outer large container (uncompressed) -->
+  <rect x="6" y="8" width="24" height="48" rx="5" fill="url(#g-comp)" opacity="0.3"/>
+  <!-- Inward arrows implying compression -->
+  <path d="M6 20h8" stroke="#ffffff" stroke-width="2" stroke-linecap="round" opacity="0.6"/>
+  <path d="M30 20h-8" stroke="#ffffff" stroke-width="2" stroke-linecap="round" opacity="0.6"/>
+  <path d="M6 32h8" stroke="#ffffff" stroke-width="2" stroke-linecap="round" opacity="0.6"/>
+  <path d="M30 32h-8" stroke="#ffffff" stroke-width="2" stroke-linecap="round" opacity="0.6"/>
+  <path d="M6 44h8" stroke="#ffffff" stroke-width="2" stroke-linecap="round" opacity="0.6"/>
+  <path d="M30 44h-8" stroke="#ffffff" stroke-width="2" stroke-linecap="round" opacity="0.6"/>
+  <!-- Arrow pointing to compressed result -->
+  <path d="M34 32h6" stroke="url(#g-comp)" stroke-width="2.5" stroke-linecap="round"/>
+  <path d="M38 28l4 4-4 4" fill="none" stroke="url(#g-comp)" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"/>
+  <!-- Compact compressed block -->
+  <rect x="44" y="20" width="14" height="24" rx="4" fill="url(#g-comp)"/>
+  <!-- White highlight lines on compressed block -->
+  <line x1="48" y1="27" x2="54" y2="27" stroke="rgba(255,255,255,0.8)" stroke-width="1.5" stroke-linecap="round"/>
+  <line x1="48" y1="32" x2="54" y2="32" stroke="rgba(255,255,255,0.55)" stroke-width="1.5" stroke-linecap="round"/>
+  <line x1="48" y1="37" x2="52" y2="37" stroke="rgba(255,255,255,0.35)" stroke-width="1.5" stroke-linecap="round"/>
+</svg>

package/documentation/public/vendor/icons/https.svg

@@ -0,0 +1,23 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" width="64" height="64" aria-hidden="true">
+  <defs>
+    <linearGradient id="g-tls" x1="0" x2="1">
+      <stop offset="0" stop-color="#7b61ff"/>
+      <stop offset="1" stop-color="#3ec6ff"/>
+    </linearGradient>
+  </defs>
+  <rect width="64" height="64" rx="8" fill="transparent"/>
+  <!-- Shield shape -->
+  <path d="M32 6 L52 16 L52 34 C52 48 32 58 32 58 C32 58 12 48 12 34 L12 16 Z" fill="url(#g-tls)"/>
+  <!-- White highlight on shield -->
+  <path d="M32 10 L48 18 L48 33 C48 44 32 53 32 53 C32 53 30 52 28 50" fill="rgba(255,255,255,0.08)" stroke="none"/>
+  <!-- Lock body -->
+  <rect x="24" y="30" width="16" height="14" rx="3" fill="rgba(255,255,255,0.9)"/>
+  <!-- Lock shackle -->
+  <path d="M27 30 V24 C27 19 37 19 37 24 V30" fill="none" stroke="rgba(255,255,255,0.9)" stroke-width="3" stroke-linecap="round"/>
+  <!-- Keyhole -->
+  <circle cx="32" cy="36" r="2.5" fill="url(#g-tls)"/>
+  <rect x="31" y="36" width="2" height="4" rx="1" fill="url(#g-tls)"/>
+  <!-- Sparkle dots -->
+  <circle cx="50" cy="10" r="1.5" fill="rgba(255,255,255,0.6)"/>
+  <circle cx="54" cy="14" r="1" fill="rgba(255,255,255,0.35)"/>
+</svg>

package/documentation/public/vendor/icons/router.svg

@@ -0,0 +1,29 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" width="64" height="64" aria-hidden="true">
+  <defs>
+    <linearGradient id="g-rtr" x1="0" x2="1">
+      <stop offset="0" stop-color="#7b61ff"/>
+      <stop offset="1" stop-color="#3ec6ff"/>
+    </linearGradient>
+  </defs>
+  <rect width="64" height="64" rx="8" fill="transparent"/>
+  <!-- Central hub node -->
+  <circle cx="32" cy="32" r="10" fill="url(#g-rtr)"/>
+  <circle cx="32" cy="32" r="4" fill="rgba(255,255,255,0.85)"/>
+  <!-- Branch: top-left -->
+  <line x1="24" y1="24" x2="14" y2="14" stroke="url(#g-rtr)" stroke-width="2.5" stroke-linecap="round"/>
+  <rect x="6" y="6" width="14" height="12" rx="3.5" fill="url(#g-rtr)" opacity="0.7"/>
+  <line x1="10" y1="11" x2="16" y2="11" stroke="rgba(255,255,255,0.7)" stroke-width="1.5" stroke-linecap="round"/>
+  <line x1="10" y1="14" x2="14" y2="14" stroke="rgba(255,255,255,0.4)" stroke-width="1.5" stroke-linecap="round"/>
+  <!-- Branch: top-right -->
+  <line x1="40" y1="24" x2="50" y2="14" stroke="url(#g-rtr)" stroke-width="2.5" stroke-linecap="round"/>
+  <rect x="44" y="6" width="14" height="12" rx="3.5" fill="url(#g-rtr)" opacity="0.7"/>
+  <line x1="48" y1="11" x2="54" y2="11" stroke="rgba(255,255,255,0.7)" stroke-width="1.5" stroke-linecap="round"/>
+  <line x1="48" y1="14" x2="52" y2="14" stroke="rgba(255,255,255,0.4)" stroke-width="1.5" stroke-linecap="round"/>
+  <!-- Branch: bottom-center -->
+  <line x1="32" y1="42" x2="32" y2="50" stroke="url(#g-rtr)" stroke-width="2.5" stroke-linecap="round"/>
+  <rect x="22" y="50" width="20" height="10" rx="3.5" fill="url(#g-rtr)" opacity="0.7"/>
+  <line x1="26" y1="55" x2="38" y2="55" stroke="rgba(255,255,255,0.7)" stroke-width="1.5" stroke-linecap="round"/>
+  <line x1="26" y1="58" x2="34" y2="58" stroke="rgba(255,255,255,0.4)" stroke-width="1.5" stroke-linecap="round"/>
+  <!-- Sparkle -->
+  <circle cx="56" cy="28" r="1.5" fill="rgba(255,255,255,0.5)"/>
+</svg>

package/documentation/public/vendor/icons/sse.svg

@@ -0,0 +1,25 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" width="64" height="64" aria-hidden="true">
+  <defs>
+    <linearGradient id="g-sse" x1="0" x2="1">
+      <stop offset="0" stop-color="#7b61ff"/>
+      <stop offset="1" stop-color="#3ec6ff"/>
+    </linearGradient>
+  </defs>
+  <rect width="64" height="64" rx="8" fill="transparent"/>
+  <!-- Server box -->
+  <rect x="8" y="16" width="20" height="32" rx="5" fill="url(#g-sse)"/>
+  <!-- White indicator dots on server -->
+  <circle cx="18" cy="25" r="2.5" fill="rgba(255,255,255,0.9)"/>
+  <circle cx="18" cy="32" r="2.5" fill="rgba(255,255,255,0.55)"/>
+  <circle cx="18" cy="39" r="2.5" fill="rgba(255,255,255,0.35)"/>
+  <!-- Three streaming arrows flowing right -->
+  <line x1="32" y1="24" x2="50" y2="24" stroke="url(#g-sse)" stroke-width="3" stroke-linecap="round"/>
+  <path d="M47 20l5 4-5 4" fill="none" stroke="url(#g-sse)" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"/>
+  <line x1="34" y1="32" x2="52" y2="32" stroke="url(#g-sse)" stroke-width="3" stroke-linecap="round" opacity="0.7"/>
+  <path d="M49 28l5 4-5 4" fill="none" stroke="url(#g-sse)" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" opacity="0.7"/>
+  <line x1="36" y1="40" x2="54" y2="40" stroke="url(#g-sse)" stroke-width="3" stroke-linecap="round" opacity="0.45"/>
+  <path d="M51 36l5 4-5 4" fill="none" stroke="url(#g-sse)" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" opacity="0.45"/>
+  <!-- White sparkle -->
+  <circle cx="54" cy="18" r="2" fill="rgba(255,255,255,0.7)"/>
+  <circle cx="57" cy="14" r="1" fill="rgba(255,255,255,0.4)"/>
+</svg>

package/documentation/public/vendor/icons/websocket.svg

@@ -0,0 +1,21 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" width="64" height="64" aria-hidden="true">
+  <defs>
+    <linearGradient id="g-ws" x1="0" x2="1">
+      <stop offset="0" stop-color="#7b61ff"/>
+      <stop offset="1" stop-color="#3ec6ff"/>
+    </linearGradient>
+  </defs>
+  <rect width="64" height="64" rx="8" fill="transparent"/>
+  <!-- Two speech bubbles overlapping to represent bidirectional real-time messaging -->
+  <rect x="6" y="10" width="32" height="22" rx="6" fill="url(#g-ws)"/>
+  <polygon points="14,32 20,40 24,32" fill="url(#g-ws)"/>
+  <!-- White dots in left bubble -->
+  <circle cx="15" cy="21" r="2.5" fill="rgba(255,255,255,0.85)"/>
+  <circle cx="22" cy="21" r="2.5" fill="rgba(255,255,255,0.85)"/>
+  <circle cx="29" cy="21" r="2.5" fill="rgba(255,255,255,0.85)"/>
+  <!-- Second bubble (offset) -->
+  <rect x="26" y="28" width="32" height="20" rx="6" fill="url(#g-ws)" opacity="0.75"/>
+  <polygon points="44,48 48,55 52,48" fill="url(#g-ws)" opacity="0.75"/>
+  <!-- Arrow inside second bubble implying response -->
+  <path d="M34 38h16M44 34l6 4-6 4" stroke="#ffffff" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" fill="none"/>
+</svg>

package/index.js

@@ -4,12 +4,16 @@
  *              Re-exports every middleware, the app factory, and the fetch helper.
  */
 const App = require('./lib/app');
-const cors = require('./lib/cors');
+const Router = require('./lib/router');
+const cors = require('./lib/middleware/cors');
 const fetch = require('./lib/fetch');
 const body = require('./lib/body');
-const serveStatic = require('./lib/static');
-const rateLimit = require('./lib/rateLimit');
-const logger = require('./lib/logger');
+const serveStatic = require('./lib/middleware/static');
+const rateLimit = require('./lib/middleware/rateLimit');
+const logger = require('./lib/middleware/logger');
+const compress = require('./lib/middleware/compress');
+const { WebSocketConnection } = require('./lib/ws');
+const { SSEStream } = require('./lib/sse');
 
 module.exports = {
     /**
@@ -17,6 +21,12 @@ module.exports = {
      * @returns {import('./lib/app')} Fresh App with an empty middleware stack.
      */
     createApp: () => new App(),
+    /**
+     * Create a standalone Router for modular route grouping.
+     * Mount on an App with `app.use('/prefix', router)`.
+     * @returns {import('./lib/router')} Fresh Router instance.
+     */
+    Router: () => new Router(),
     /** @see module:cors */
     cors,
     /** @see module:fetch */
@@ -40,4 +50,11 @@ module.exports = {
     rateLimit,
     /** @see module:logger */
     logger,
+    /** @see module:compress */
+    compress,
+    // classes (for advanced / direct usage)
+    /** @see module:ws/connection */
+    WebSocketConnection,
+    /** @see module:sse/stream */
+    SSEStream,
 };

package/lib/app.js

@@ -1,12 +1,15 @@
 /**
  * @module app
- * @description Express-like HTTP application with middleware pipeline and
- *              method-based routing.  Created via `createApp()` in the public API.
+ * @description Express-like HTTP application with middleware pipeline,
+ *              method-based routing, HTTPS support, built-in WebSocket
+ *              upgrade handling, and route introspection.
+ *              Created via `createApp()` in the public API.
  */
 const http = require('http');
+const https = require('https');
 const Router = require('./router');
-const Request = require('./request');
-const Response = require('./response');
+const { Request, Response } = require('./http');
+const { handleUpgrade } = require('./ws');
 
 class App
 {
@@ -25,19 +28,26 @@ class App
         this.middlewares = [];
         /** @type {Function|null} */
         this._errorHandler = null;
+        /** @type {Map<string, { handler: Function, opts: object }>} WebSocket upgrade handlers keyed by path */
+        this._wsHandlers = new Map();
+        /** @type {import('http').Server|import('https').Server|null} */
+        this._server = null;
 
         // Bind for use as `http.createServer(app.handler)`
         this.handler = (req, res) => this.handle(req, res);
     }
 
+    // -- Middleware -------------------------------------
+
     /**
-     * Register middleware.
+     * Register middleware or mount a sub-router.
      * - `use(fn)` — global middleware applied to every request.
      * - `use('/prefix', fn)` — path-scoped middleware (strips the prefix
      *   before calling `fn` so downstream sees relative paths).
+     * - `use('/prefix', router)` — mount a Router sub-app at the given prefix.
      *
-     * @param {string|Function} pathOrFn - A path prefix string, or middleware function.
-     * @param {Function}        [fn]     - Middleware function when first arg is a path.
+     * @param {string|Function}       pathOrFn - A path prefix string, or middleware function.
+     * @param {Function|Router}       [fn]     - Middleware function or Router when first arg is a path.
      */
     use(pathOrFn, fn)
     {
@@ -45,6 +55,11 @@ class App
         {
             this.middlewares.push(pathOrFn);
         }
+        else if (typeof pathOrFn === 'string' && fn instanceof Router)
+        {
+            // Mount a sub-router
+            this.router.use(pathOrFn, fn);
+        }
         else if (typeof pathOrFn === 'string' && typeof fn === 'function')
         {
             const prefix = pathOrFn.endsWith('/') ? pathOrFn.slice(0, -1) : pathOrFn;
@@ -78,6 +93,8 @@ class App
         this._errorHandler = fn;
     }
 
+    // -- Request Handling ------------------------------
+
     /**
      * Core request handler.  Wraps the raw Node `req`/`res` in
      * {@link Request}/{@link Response} wrappers, runs the middleware
@@ -124,27 +141,140 @@ class App
         run();
     }
 
+    // -- Server Lifecycle ------------------------------
+
     /**
-     * Start listening for HTTP connections.
+     * Start listening for HTTP or HTTPS connections.
+     *
+     * @param {number}   [port=3000]   - Port number to bind.
+     * @param {object|Function} [opts] - TLS options `{ key, cert, ... }` for HTTPS, or a callback.
+     * @param {Function} [cb]          - Callback invoked once the server is listening.
+     * @returns {import('http').Server|import('https').Server} The underlying server.
      *
-     * @param {number}   [port=3000] - Port number to bind.
-     * @param {Function} [cb]        - Callback invoked once the server is listening.
-     * @returns {import('http').Server} The underlying Node HTTP server.
+     * @example
+     *   // Plain HTTP
+     *   app.listen(3000, () => console.log('HTTP on 3000'));
+     *
+     *   // HTTPS
+     *   app.listen(443, { key: fs.readFileSync('key.pem'), cert: fs.readFileSync('cert.pem') },
+     *              () => console.log('HTTPS on 443'));
      */
-    listen(port = 3000, cb)
+    listen(port = 3000, opts, cb)
     {
-        const server = http.createServer(this.handler);
+        // Normalise arguments — allow `listen(port, cb)` without opts
+        if (typeof opts === 'function') { cb = opts; opts = undefined; }
+
+        const isHTTPS = opts && (opts.key || opts.pfx || opts.cert);
+        const server = isHTTPS
+            ? https.createServer(opts, this.handler)
+            : http.createServer(this.handler);
+
+        this._server = server;
+
+        // Always attach WebSocket upgrade handling so ws() works
+        // regardless of registration order (before or after listen).
+        server.on('upgrade', (req, socket, head) =>
+        {
+            if (this._wsHandlers.size > 0)
+                handleUpgrade(req, socket, head, this._wsHandlers);
+            else
+                socket.destroy();
+        });
+
         return server.listen(port, cb);
     }
 
+    /**
+     * Gracefully close the server, stopping new connections.
+     *
+     * @param {Function} [cb] - Callback invoked once the server has closed.
+     */
+    close(cb)
+    {
+        if (this._server) this._server.close(cb);
+    }
+
+    // -- WebSocket Support -----------------------------
+
+    /**
+     * Register a WebSocket upgrade handler for a path.
+     *
+     * The handler receives `(ws, req)` where `ws` is a rich WebSocket
+     * connection object.  See {@link WebSocketConnection} for the full API.
+     *
+     * @param {string}   path        - URL path to listen for upgrade requests.
+     * @param {object|Function} [opts] - Options object, or the handler function directly.
+     * @param {number}   [opts.maxPayload=1048576]  - Maximum incoming frame size in bytes (default 1 MB).
+     * @param {number}   [opts.pingInterval=30000]  - Auto-ping interval in ms. Set `0` to disable.
+     * @param {Function} [opts.verifyClient]        - `(req) => boolean` — return false to reject the upgrade.
+     * @param {Function} handler     - `(ws, req) => void`.
+     *
+     * @example
+     *   // Simple
+     *   app.ws('/chat', (ws, req) => {
+     *       ws.on('message', data => ws.send('echo: ' + data));
+     *   });
+     *
+     *   // With options
+     *   app.ws('/feed', { maxPayload: 64 * 1024, pingInterval: 15000 }, (ws, req) => {
+     *       console.log('client', ws.id, 'from', ws.ip);
+     *       ws.sendJSON({ hello: 'world' });
+     *   });
+     */
+    ws(path, opts, handler)
+    {
+        // Normalise arguments: ws(path, handler) or ws(path, opts, handler)
+        if (typeof opts === 'function') { handler = opts; opts = {}; }
+        if (!opts) opts = {};
+
+        this._wsHandlers.set(path, { handler, opts });
+    }
+
+    // -- Route Introspection ---------------------------
+
+    /**
+     * Return a flat list of all registered routes across the router tree,
+     * including mounted sub-routers.  Useful for debugging, auto-generated
+     * docs, or CLI tooling.
+     *
+     * @returns {{ method: string, path: string }[]}
+     *
+     * @example
+     *   app.routes().forEach(r => console.log(r.method, r.path));
+     *   // GET  /users
+     *   // POST /users
+     *   // GET  /api/v1/items/:id
+     */
+    routes()
+    {
+        return this.router.inspect();
+    }
+
+    // -- Route Registration ----------------------------
+
+    /**
+     * Extract an options object from the head of the handlers array when
+     * the first argument is a plain object (not a function).
+     * @private
+     */
+    _extractOpts(fns)
+    {
+        let opts = {};
+        if (fns.length > 0 && typeof fns[0] === 'object' && typeof fns[0] !== 'function')
+        {
+            opts = fns.shift();
+        }
+        return opts;
+    }
+
     /**
      * Register one or more handler functions for a specific HTTP method and path.
      *
      * @param {string}      method - HTTP method (GET, POST, etc.) or 'ALL'.
      * @param {string}      path   - Route pattern (e.g. '/users/:id').
-     * @param {...Function} fns    - Handler functions `(req, res, next) => void`.
+     * @param {...Function|object} fns - Optional options object `{ secure }` followed by handler functions.
      */
-    route(method, path, ...fns) { this.router.add(method, path, fns); }
+    route(method, path, ...fns) { const o = this._extractOpts(fns); this.router.add(method, path, fns, o); }
 
     /** @see App#route — shortcut for GET requests.    */ get(path, ...fns) { this.route('GET', path, ...fns); }
     /** @see App#route — shortcut for POST requests.   */ post(path, ...fns) { this.route('POST', path, ...fns); }

package/lib/body/json.js

@@ -15,6 +15,7 @@ const sendError = require('./sendError');
  * @param {Function}        [options.reviver]  - `JSON.parse` reviver function.
  * @param {boolean}         [options.strict=true] - When true, reject non-object/array roots.
  * @param {string|Function} [options.type='application/json'] - Content-Type to match.
+ * @param {boolean}         [options.requireSecure=false] - When true, reject non-HTTPS requests with 403.
  * @returns {Function} Async middleware `(req, res, next) => void`.
  */
 function json(options = {})
@@ -24,9 +25,11 @@ function json(options = {})
   const reviver = opts.reviver;
   const strict = (opts.hasOwnProperty('strict')) ? !!opts.strict : true;
   const typeOpt = opts.type || 'application/json';
+  const requireSecure = !!opts.requireSecure;
 
   return async (req, res, next) =>
   {
+    if (requireSecure && !req.secure) return sendError(res, 403, 'HTTPS required');
     const ct = (req.headers['content-type'] || '');
     if (!isTypeMatch(ct, typeOpt)) return next();
     try

package/lib/body/multipart.js

@@ -77,12 +77,14 @@ function parseContentDisposition(cd)
  * @param {object} [opts]
  * @param {string} [opts.dir]             - Upload directory (default: OS temp dir).
  * @param {number} [opts.maxFileSize]     - Maximum file size in bytes.
+ * @param {boolean} [opts.requireSecure=false] - When true, reject non-HTTPS requests with 403.
  * @returns {Function} Async middleware `(req, res, next) => void`.
  */
 function multipart(opts = {})
 {
     return async (req, res, next) =>
     {
+        if (opts.requireSecure && !req.secure) return sendError(res, 403, 'HTTPS required');
         const ct = req.headers['content-type'] || '';
         const m = /boundary=(?:"([^"]+)"|([^;\s]+))/i.exec(ct);
         if (!m) return next();

package/lib/body/raw.js

@@ -13,6 +13,7 @@ const sendError = require('./sendError');
  * @param {object}          [options]
  * @param {string|number}   [options.limit]                           - Max body size.
  * @param {string|Function} [options.type='application/octet-stream'] - Content-Type to match.
+ * @param {boolean}         [options.requireSecure=false]             - When true, reject non-HTTPS requests with 403.
  * @returns {Function} Async middleware `(req, res, next) => void`.
  */
 function raw(options = {})
@@ -20,9 +21,11 @@ function raw(options = {})
     const opts = options || {};
     const limit = opts.limit || null;
     const typeOpt = opts.type || 'application/octet-stream';
+    const requireSecure = !!opts.requireSecure;
 
     return async (req, res, next) =>
     {
+        if (requireSecure && !req.secure) return sendError(res, 403, 'HTTPS required');
         const ct = (req.headers['content-type'] || '');
         if (!isTypeMatch(ct, typeOpt)) return next();
         try

package/lib/body/text.js

@@ -14,6 +14,7 @@ const sendError = require('./sendError');
  * @param {string|number}   [options.limit]              - Max body size.
  * @param {string}          [options.encoding='utf8']    - Character encoding.
  * @param {string|Function} [options.type='text/*']      - Content-Type to match.
+ * @param {boolean}         [options.requireSecure=false] - When true, reject non-HTTPS requests with 403.
  * @returns {Function} Async middleware `(req, res, next) => void`.
  */
 function text(options = {})
@@ -22,9 +23,11 @@ function text(options = {})
   const limit = opts.limit || null;
   const encoding = opts.encoding || 'utf8';
   const typeOpt = opts.type || 'text/*';
+  const requireSecure = !!opts.requireSecure;
 
   return async (req, res, next) =>
   {
+    if (requireSecure && !req.secure) return sendError(res, 403, 'HTTPS required');
     const ct = (req.headers['content-type'] || '');
     if (!isTypeMatch(ct, typeOpt)) return next();
     try

package/lib/body/urlencoded.js

@@ -30,6 +30,7 @@ function appendValue(prev, val)
  * @param {string|number}   [options.limit]     - Max body size (e.g. `'10kb'`).
  * @param {string|Function} [options.type='application/x-www-form-urlencoded'] - Content-Type to match.
  * @param {boolean}         [options.extended=false] - Use nested bracket parsing (e.g. `a[b][c]=1`).
+ * @param {boolean}         [options.requireSecure=false] - When true, reject non-HTTPS requests with 403.
  * @returns {Function} Async middleware `(req, res, next) => void`.
  */
 function urlencoded(options = {})
@@ -38,9 +39,11 @@ function urlencoded(options = {})
     const limit = opts.limit || null;
     const typeOpt = opts.type || 'application/x-www-form-urlencoded';
     const extended = !!opts.extended;
+    const requireSecure = !!opts.requireSecure;
 
     return async (req, res, next) =>
     {
+        if (requireSecure && !req.secure) return sendError(res, 403, 'HTTPS required');
         const ct = (req.headers['content-type'] || '');
         if (!isTypeMatch(ct, typeOpt)) return next();
         try

package/lib/{fetch.js → fetch/index.js}

@@ -23,7 +23,21 @@ const STATUS_CODES = http.STATUS_CODES;
  * @param {import('http').Agent} [opts.agent]      - Custom HTTP agent.
  * @param {Function} [opts.onDownloadProgress]     - `({ loaded, total }) => void` callback.
  * @param {Function} [opts.onUploadProgress]       - `({ loaded, total }) => void` callback.
- * @returns {Promise<{ status: number, statusText: string, ok: boolean, headers: object, arrayBuffer: Function, text: Function, json: Function }>}
+ *
+ * TLS / HTTPS options (passed through to `https.request()` when the URL is `https:`):
+ * @param {boolean}  [opts.rejectUnauthorized]     - Reject connections with unverified certs (default: Node default `true`).
+ * @param {string|Buffer|Array} [opts.ca]          - Override default CA certificates.
+ * @param {string|Buffer}       [opts.cert]        - Client certificate (PEM) for mutual TLS.
+ * @param {string|Buffer}       [opts.key]         - Private key (PEM) for mutual TLS.
+ * @param {string|Buffer}       [opts.pfx]         - PFX / PKCS12 bundle (alternative to cert+key).
+ * @param {string}              [opts.passphrase]  - Passphrase for the key or PFX.
+ * @param {string}              [opts.servername]   - SNI server name override.
+ * @param {string}              [opts.ciphers]      - Colon-separated cipher list.
+ * @param {string}              [opts.secureProtocol] - SSL/TLS protocol method name.
+ * @param {string}              [opts.minVersion]   - Minimum TLS version (`'TLSv1.2'`, etc.).
+ * @param {string}              [opts.maxVersion]   - Maximum TLS version.
+ *
+ * @returns {Promise<{ status: number, statusText: string, ok: boolean, secure: boolean, url: string, headers: object, arrayBuffer: Function, text: Function, json: Function }>}
  */
 function miniFetch(url, opts = {})
 {
@@ -66,6 +80,19 @@ function miniFetch(url, opts = {})
             const options = { method, headers };
             if (opts.agent) options.agent = opts.agent;
 
+            // Pass through TLS options for HTTPS requests
+            if (lib === https)
+            {
+                const tlsKeys = [
+                    'rejectUnauthorized', 'ca', 'cert', 'key', 'pfx', 'passphrase',
+                    'servername', 'ciphers', 'secureProtocol', 'minVersion', 'maxVersion'
+                ];
+                for (const k of tlsKeys)
+                {
+                    if (opts[k] !== undefined) options[k] = opts[k];
+                }
+            }
+
             const req = lib.request(u, options, (res) =>
             {
                 const chunks = [];
@@ -101,6 +128,8 @@ function miniFetch(url, opts = {})
                         status,
                         statusText: STATUS_CODES[status] || '',
                         ok: status >= 200 && status < 300,
+                        secure: u.protocol === 'https:',
+                        url: u.href,
                         headers: responseHeaders,
                         arrayBuffer: () => Promise.resolve(buf),
                         text: () => Promise.resolve(buf.toString('utf8')),

package/lib/http/index.js

@@ -0,0 +1,9 @@
+/**
+ * @module http
+ * @description HTTP request/response wrappers for zero-http.
+ *              Exports Request and Response classes.
+ */
+const Request = require('./request');
+const Response = require('./response');
+
+module.exports = { Request, Response };

package/lib/{request.js → http/request.js}

@@ -1,5 +1,5 @@
 /**
- * @module request
+ * @module http/request
  * @description Lightweight wrapper around Node's `IncomingMessage`.
  *              Provides parsed query string, params, body, and convenience helpers.
  */
@@ -31,6 +31,12 @@ class Request
         this.params = {};
         this.body = null;
         this.ip = req.socket ? req.socket.remoteAddress : null;
+
+        /** `true` when the connection is over TLS (HTTPS). */
+        this.secure = !!(req.socket && req.socket.encrypted);
+
+        /** Protocol string — `'https'` or `'http'`. */
+        this.protocol = this.secure ? 'https' : 'http';
     }
 
     /**