Home NodeJS Express HTTPS Server
Post
Cancel

NodeJS Express HTTPS Server

Posted Apr 10, 2021
By Alexander Wells
2 min read

In this post we’ll look at how to add TLS to an NodeJS express HTTP server.

This post will assume that you already know how to setup a HTTP server using express. If you don’t know how to, you can learn how to do it here.

  1. Server Options
  2. Creating the Server
  3. Hardened TLS Configuration

Server Options

To add TLS to our server we first need to define an object containing some options:

1
2
3
4
5
6
7
8
9

const serverOptions = {
	// Certificate(s) & Key(s)
	cert: fs.readFileSync(path.join(__dirname, 'certs/host.crt')),
	key: fs.readFileSync(path.join(__dirname, 'certs/host.key')),

	// Optional: TLS Versions
	maxVersion: 'TLSv1.3',
	minVersion: 'TLSv1.2'
}

Creating the Server

We only need to modify one other line of code to enable TLS:

1

const server = require('https').Server(serverOptions, app);

The entire code for a simple HTTPS server looks like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

const express = require('express');
const path = require('path');
const fs = require('fs');
const app = express();

const PORT = 4443;

const serverOptions = {
	// Certificate(s) & Key(s)
	cert: fs.readFileSync(path.join(__dirname, 'certs/host.crt')),
	key: fs.readFileSync(path.join(__dirname, 'certs/host.key')),

	// TLS Versions
	maxVersion: 'TLSv1.3',
	minVersion: 'TLSv1.2'
}

const server = require('https').Server(serverOptions, app);

app.get('/', (req, res) => {
	res.sendFile(path.join(__dirname, 'index.html'));
});

// Start the Server
server.listen(PORT, () => {
    console.log(`[-] Server Listening on Port ${PORT}`);
});

Hardened TLS Configuration

For a more secure TLS configuration you should do the following:

  • Disable all older/legacy versions of TLS.
    • Use minVersion and maxVersion to specify the supported TLS versions.
  • Disable all insecure & old cipher suites.
    • Use ciphers to specify which cipher suites should be supported.
  • Disable all but the most secure Elliptic Curves for the key exchange.
    • Use ecdhCurve to specify which curves should be supported for the Key Exchange.
  • Disable all signature algorithms that don’t use strong hash functions.
    • Use sigalgs to specify which Server Signature Algorithms should be supported.
    • NOTE Supported Signature Algorithms will vary depending on the type of certificate you are using! Learn more about Server Signature algorithms here.

Hardened Configuration Example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

const serverOptions = {
	// Certificate(s) & Key(s)
	cert: fs.readFileSync(path.join(__dirname, 'certs/host.crt')),
	key: fs.readFileSync(path.join(__dirname, 'certs/host.key')),

	// TLS Versions
	maxVersion: 'TLSv1.3',
	minVersion: 'TLSv1.3',

	// Hardened configuration
	ciphers: 'TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256',
	ecdhCurve: 'P-521:P-384',
	sigalgs: 'ecdsa_secp384r1_sha384',

	// Attempt to use server cipher suite preference instead of clients
	honorCipherOrder: true
}
javascript, nodejs
javascript web https http nodejs server express
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents