Missing secure HTTP server configuration

• Rule ID: javascript_express_https_protocol_missing
• Languages: javascript
• Source: https_protocol_missing.yml

Description

Failing to configure your HTTP server to use HTTPS can expose data to interception and manipulation. HTTPS, which incorporates TLS (Transport Layer Security), encrypts data in transit and therefore provides a more secure communication channel than HTTP.

Remediations

• Do use the https module for creating secure servers in your applications. This ensures that data transmitted between the server and clients is encrypted.

  var https = require('https');
  var express = require('express');
  var app = express();
  
  var httpsServer = https.createServer(app);
  httpsServer.listen(8080);

References

• Express Security Best Practices: use TLS

Associated CWE

• CWE-319: Cleartext Transmission of Sensitive Information

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_https_protocol_missing

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_https_protocol_missing