# Missing Secure HTTP server Configuration

## Overview

* **Rule ID**: `javascript_express_https_protocol_missing`
* **Applicable Languages**: Javascript
* **Weakness ID**: CWE-319

## Description

Failing to configure your HTTP server to use HTTPS can expose data to interception and manipulation. HTTPS, which incorporates TLS (Transport Layer Security), encrypts data in transit, providing a more secure communication channel than HTTP.

## Remediation Guidelines

* **Use** the https module to create secure servers in your applications. This ensures that data transmitted between the server and clients is encrypted.

  ```java
  var https = require('https');
  var express = require('express');
  var app = express();

  var httpsServer = https.createServer(app);
  httpsServer.listen(8080);
  ```

## References

* [**Express Security Best Practices: use TLS**](https://expressjs.com/en/advanced/best-practice-security.html#use-tls)
* [**CWE-319: Cleartext Transmission of Sensitive Information**](https://cwe.mitre.org/data/definitions/319.html)
* [**OWASP Top 10: A02:2021 - Cryptographic Failures**](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)