Missing Secure HTTP server Configuration

Overview

• Rule ID: javascript_express_https_protocol_missing

• Applicable Languages: Javascript

• Weakness ID: CWE-319

Description

Failing to configure your HTTP server to use HTTPS can expose data to interception and manipulation. HTTPS, which incorporates TLS (Transport Layer Security), encrypts data in transit, providing a more secure communication channel than HTTP.

Remediation Guidelines

• Use the https module to create secure servers in your applications. This ensures that data transmitted between the server and clients is encrypted.

  Copy

  var https = require('https');
  var express = require('express');
  var app = express();
  
  var httpsServer = https.createServer(app);
  httpsServer.listen(8080);

References

• Express Security Best Practices: use TLS

• CWE-319: Cleartext Transmission of Sensitive Information

• OWASP Top 10: A02:2021 - Cryptographic Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL