Missing secure HTTP server configuration

• Rule ID: javascript_express_https_protocol_missing
• Languages: javascript
• Source: https_protocol_missing.yml

Description

Use HTTPS wherever possible. HTTPS uses the TLS (Transport Layer Security) protocol to encrypt communication, making it more secure than HTTP.

Remediations

✅ Use the https module when calling createServer()

var https = require('https');
var express = require('express');
var app = express();

var httpsServer = https.createServer(app)
httpsServer.listen(8080);

Resources

• Express Security Best Practices: use TLS

Associated CWE

• CWE-319: Cleartext Transmission of Sensitive Information

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_https_protocol_missing

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_https_protocol_missing