NodeJS Express HTTPS Server
In this post we’ll look at how to add TLS to an NodeJS express HTTP server.
This post will assume that you already know how to setup a HTTP server using express. If you don’t know how to, you can learn how to do it here.
Server Options
To add TLS to our server we first need to define an object containing some options:
1
2
3
4
5
6
7
8
9
const serverOptions = {
// Certificate(s) & Key(s)
cert: fs.readFileSync(path.join(__dirname, 'certs/host.crt')),
key: fs.readFileSync(path.join(__dirname, 'certs/host.key')),
// Optional: TLS Versions
maxVersion: 'TLSv1.3',
minVersion: 'TLSv1.2'
}
Creating the Server
We only need to modify one other line of code to enable TLS:
1
const server = require('https').Server(serverOptions, app);
The entire code for a simple HTTPS server looks like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
const express = require('express');
const path = require('path');
const fs = require('fs');
const app = express();
const PORT = 4443;
const serverOptions = {
// Certificate(s) & Key(s)
cert: fs.readFileSync(path.join(__dirname, 'certs/host.crt')),
key: fs.readFileSync(path.join(__dirname, 'certs/host.key')),
// TLS Versions
maxVersion: 'TLSv1.3',
minVersion: 'TLSv1.2'
}
const server = require('https').Server(serverOptions, app);
app.get('/', (req, res) => {
res.sendFile(path.join(__dirname, 'index.html'));
});
// Start the Server
server.listen(PORT, () => {
console.log(`[-] Server Listening on Port ${PORT}`);
});
Hardened TLS Configuration
For a more secure TLS configuration you should do the following:
- Disable all older/legacy versions of TLS.
- Use
minVersion
andmaxVersion
to specify the supported TLS versions.
- Use
- Disable all insecure & old cipher suites.
- Use
ciphers
to specify which cipher suites should be supported.
- Use
- Disable all but the most secure Elliptic Curves for the key exchange.
- Use
ecdhCurve
to specify which curves should be supported for the Key Exchange.
- Use
- Disable all signature algorithms that don’t use strong hash functions.
- Use
sigalgs
to specify which Server Signature Algorithms should be supported. - NOTE Supported Signature Algorithms will vary depending on the type of certificate you are using! Learn more about Server Signature algorithms here.
- Use
Hardened Configuration Example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
const serverOptions = {
// Certificate(s) & Key(s)
cert: fs.readFileSync(path.join(__dirname, 'certs/host.crt')),
key: fs.readFileSync(path.join(__dirname, 'certs/host.key')),
// TLS Versions
maxVersion: 'TLSv1.3',
minVersion: 'TLSv1.3',
// Hardened configuration
ciphers: 'TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256',
ecdhCurve: 'P-521:P-384',
sigalgs: 'ecdsa_secp384r1_sha384',
// Attempt to use server cipher suite preference instead of clients
honorCipherOrder: true
}
This post is licensed under CC BY 4.0 by the author.