How to Use SSL/TLS with Node.js

This article explains how to secure your Express.js server with HTTPS using Let's Encrypt certificates, and further enhance security with HSTS and stronger Diffie-Hellman parameters.

In today's digital landscape, HTTPS is non-negotiable. It's expected by users, a Google ranking factor, and browsers actively highlight sites lacking it. This tutorial demonstrates adding a Let's Encrypt certificate to your Express.js application. However, client-side security is equally vital; we'll explore enforcing encrypted connections to external servers, even when not enabled by default. (Note: For NGINX reverse proxy SSL setup with a Node app, see our quick tip, “Configuring NGINX and SSL with Node.js”.)

Key Takeaways:

• HTTPS is crucial for website security in 2020 and beyond, offering authentication, privacy, confidentiality, and data integrity. It's a Google ranking factor and user expectation.
• Node.js defaults to HTTP, but the https module enables secure client communication. This requires SSL certificates, readily obtainable and free from Let's Encrypt.
• Certbot simplifies Let's Encrypt certificate generation and management, verifying certificate holder authenticity for secure client-server connections.
• HTTP Strict Transport Security (HSTS), implemented via the Helmet Node module, forces all traffic through HTTPS, mitigating protocol downgrade attacks and cookie hijacking.
• SSL/TLS security is strengthened by generating a longer (2048-bit) Diffie-Hellman key for enhanced server key exchange.

HTTPS Everywhere:

The HTTP/2 standard (RFC 7540, May 2015) mandates encryption, making HTTPS the default. This boosts HTTPS adoption. From a browser's perspective, reaching the IP level involves these layers:

1. Client browser
2. HTTP
3. SSL/TLS
4. TCP
5. IP

HTTPS is HTTP over SSL/TLS, inheriting HTTP rules while adding: authentication via keys and certificates; encrypted, asymmetric communication for privacy and confidentiality; and data integrity through tamper-proof transmission. Contrary to past perceptions, SSL/TLS overhead is minimal, even for large-scale operations like Google (under 1% CPU load and 2% network overhead). As Ilya Grigorik aptly stated, the only performance bottleneck is insufficient HTTPS usage.

TLS 1.3 is the latest version, succeeding SSL 3.0 (though not interoperable). It uses three encrypted channels: certificate chains, public key cryptography for key exchange, and symmetric cryptography for data transfer. SHA2 or stronger hashing algorithms are recommended (SHA1 is obsolete). Growing data breaches fuel user demand for enhanced online security. The EFF's HTTPS Everywhere browser extension enforces encryption where possible, including rewriting requests for sites with partial HTTPS support or blocking HTTP entirely.

Basic Communication:

Certificate validation involves verifying the signature, expiration date, trusted root chain, and revocation status. Trusted Certificate Authorities (CAs) issue certificates; compromise of a CA revokes all its certificates. The HTTPS handshake sequence: client initialization, certificate and key exchange message from the server, client key exchange and cipher specification, server confirmation, and handshake closure.

This sequence is independent of HTTP; HTTPS only alters socket handling. HTTP requests remain, but the socket encrypts content (headers and body).

HTTPS Implementation in Express.js:

Node.js uses the https module for secure communication. Its usage mirrors the http module:

const https = require("https"),
  fs = require("fs");

const options = {
  key: fs.readFileSync("/srv/www/keys/my-site-key.pem"),
  cert: fs.readFileSync("/srv/www/keys/chain.pem")
};

const app = express();

app.use((req, res) => {
  res.writeHead(200);
  res.end("hello world\n");
});

app.listen(8000);

https.createServer(options, app).listen(8080);

Replace /srv/www/keys/my-site-key.pem and /srv/www/keys/chain.pem with your generated certificate paths (explained below).

Certificate Generation with Certbot:

Certbot automates Let's Encrypt certificate generation and management. Install Certbot (instructions vary by OS; this example uses Ubuntu):

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

The certonly --webroot plugin simplifies certificate generation and verification. Run:

certbot certonly --webroot -w /var/www/example/ -d www.example.com -d example.com

Provide your email address. The output shows paths to your private key and certificate files; use these in the options object above.

Security Enhancements:

• HTTP Strict Transport Security (HSTS): Use the Helmet middleware:

const helmet = require("helmet");
// ...
app.use(helmet());

• Stronger Diffie-Hellman Parameters: Generate a 2048-bit DH key using OpenSSL:

openssl dhparam -out /var/www/example/sslcert/dh-strong.pem 2048

Add dhparam to the options object:

const options = {
  // ...
  dhparam: fs.readFileSync("/var/www/example/sslcert/dh-strong.pem")
};

Conclusion:

HTTPS is essential. Node.js offers robust SSL/TLS options for secure web applications. Let's Encrypt simplifies certificate management, while HSTS and stronger DH parameters further enhance security.

The FAQs section has been omitted for brevity, but the provided information covers the core aspects of the original text.

The above is the detailed content of How to Use SSL/TLS with Node.js. For more information, please follow other related articles on the PHP Chinese website!