HTTPS Server
| Since: | Express 4(2014) |
|---|
In Express, combining Node.js's standard https module with SSL/TLS certificates allows you to start a server over HTTPS. It is common to use a self-signed certificate for development environments and a certificate issued by a Certificate Authority (CA) for production.
Syntax
app.js (syntax example)
var https = require('https');
var fs = require('fs');
var express = require('express');
var app = express();
var options = {
key: fs.readFileSync('server.key'),
cert: fs.readFileSync('server.crt')
};
https.createServer(options, app).listen(443);
Certificate File Types
| File | Description |
|---|---|
| server.key | The private key file. Manage it carefully to prevent leakage. |
| server.crt | The SSL/TLS certificate file. Can be one issued by a CA or a self-signed one. |
| server.csr | The Certificate Signing Request (CSR) file. Used when applying for a certificate from a CA. |
| ca.crt | The intermediate CA certificate file. May be needed to build a certificate chain. |
https.createServer() Options
| Option | Description |
|---|---|
| key | Specifies the private key data. Pass a buffer or string read with fs.readFileSync(). |
| cert | Specifies the certificate data. Pass the certificate corresponding to the private key. |
| ca | Specifies intermediate CA certificate data. Used when a certificate chain is required. |
| passphrase | Specified when the private key has a passphrase set. |
| requestCert | When set to true, requests a client certificate. Used for mutual TLS (mTLS) authentication. |
Sample Code
Examples ranging from starting an HTTPS server with a self-signed certificate for development to the practical pattern of redirecting HTTP to HTTPS.
app.js (HTTPS server)
var https = require('https');
var http = require('http');
var fs = require('fs');
var path = require('path');
var express = require('express');
var app = express();
app.use(express.json());
var httpsOptions = {
key: fs.readFileSync(path.join(__dirname, 'certs', 'server.key')),
cert: fs.readFileSync(path.join(__dirname, 'certs', 'server.crt'))
};
app.get('/', function(req, res) {
res.send('<h1>HTTPS server is running</h1>');
});
app.get('/info', function(req, res) {
res.json({
protocol: req.protocol,
secure: req.secure,
host: req.hostname
});
});
https.createServer(httpsOptions, app).listen(443, function() {
console.log('HTTPS server started: https://localhost:443');
});
http.createServer(function(req, res) {
var redirectUrl = 'https://' + req.headers['host'] + req.url;
res.writeHead(301, { 'Location': redirectUrl });
res.end();
}).listen(80, function() {
console.log('HTTP server started (redirecting to HTTPS): http://localhost:80');
});
Creating a Self-Signed Certificate for Development
In development environments, you can create a self-signed certificate with the OpenSSL command. For production, it is common to use a certificate issued by a CA such as Let's Encrypt.
Terminal
openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes
Start an HTTPS server using the generated certificate.
app.js (self-signed certificate)
var https = require('https');
var fs = require('fs');
var express = require('express');
var app = express();
var options = {
key: fs.readFileSync('server.key'),
cert: fs.readFileSync('server.crt')
};
app.get('/', function(req, res) {
res.send('Development HTTPS server');
});
https.createServer(options, app).listen(3443, function() {
console.log('Development HTTPS server started: https://localhost:3443');
console.log('Note: Browser will show a warning for self-signed certificates');
});
Common Mistakes
Mistake 1: Certificate file path not found
When a relative path is passed to fs.readFileSync(), the resolved location depends on which directory the server is started from. Using an absolute path with __dirname creates a configuration that does not depend on the launch directory.
NG (Mistake 1)
var options = {
key: fs.readFileSync('server.key'),
cert: fs.readFileSync('server.crt')
};
OK (Mistake 1)
var path = require('path');
var options = {
key: fs.readFileSync(path.join(__dirname, 'certs', 'server.key')),
cert: fs.readFileSync(path.join(__dirname, 'certs', 'server.crt'))
};
Mistake 2: Using app.listen() instead of https.createServer()
To start an HTTPS server, use https.createServer(options, app).listen() instead of app.listen(). Since app.listen() starts an HTTP server, certificate options cannot be passed to it.
NG (Mistake 2)
app.listen(443, function() {
console.log('Started');
});
OK (Mistake 2)
https.createServer(options, app).listen(443, function() {
console.log('HTTPS server started');
});
Mistake 3: Not setting up HTTP redirect
Even with an HTTPS server running on port 443, HTTP access to port 80 is returned as-is over HTTP. Starting an HTTP server on port 80 and redirecting to HTTPS allows all traffic to be encrypted.
NG (HTTP traffic passes through)
https.createServer(options, app).listen(443);
OK (HTTP → HTTPS redirect)
https.createServer(options, app).listen(443);
http.createServer(function(req, res) {
var redirectUrl = 'https://' + req.headers['host'] + req.url;
res.writeHead(301, { 'Location': redirectUrl });
res.end();
}).listen(80);
Overview
To start an Express application over HTTPS, use Node.js's standard https.createServer(options, app) instead of app.listen(). Pass the private key (key) and certificate (cert) in options. Reading files synchronously with fs.readFileSync() is common practice.
In production, using a certificate obtained via Let's Encrypt (Certbot) and setting up a 301 redirect from the HTTP port (80) to the HTTPS port (443) is a standard configuration. A setup where a reverse proxy (Nginx, Apache, etc.) handles SSL termination is also widely used. In that case, the Express app itself runs over HTTP, and app.set('trust proxy', true) is configured to correctly retrieve the client's IP address and protocol.
In development environments, OpenSSL can be used to generate a self-signed certificate to try HTTPS, but self-signed certificates display a warning in the browser and are not suited for production use.
If you find any errors or copyright issues, please contact us.
シェアする