Loading lesson path
Concept visual
The HTTPS module is a core Node.js module that provides an implementation of the HTTPS protocol, which is essentially HTTP over TLS/SSL. It's a secure version of the HTTP module, providing encrypted communication between clients and servers.
HTTPS is crucial for modern web applications because it:
: Protects sensitive information like passwords, credit card numbers, and personal data from eavesdropping
: Verifies that clients are communicating with the intended server
: Prevents data from being modified or corrupted during transfer
: Visual indicators (like the padlock icon) increase user confidence
: Search engines prioritize HTTPS websites in search results
: Many web APIs (like Geolocation, Service Workers) require HTTPS
Client initiates a secure connection to the server
Formula
Server presents its SSL/TLS certificate to the clientClient verifies the certificate with a trusted Certificate Authority (CA)
Symmetric encryption is used for the actual data transfer
Modern HTTPS uses TLS (Transport Layer Security), which is the successor to SSL (Secure Sockets Layer). The terms are often used interchangeably, but SSL is now considered deprecated.
As of 2023, all major browsers require HTTPS for new web features and APIs. Many browsers also mark non-HTTPS sites as "Not Secure."
To use the HTTPS module in your Node.js application, you can import it using CommonJS or ES modules syntax: CommonJS (Node.js default) // Using require()
const https = require('https');
ES Modules (Node.js 14+)
// Using import (requires "type": "module" in package.json)
import https from 'https';The HTTPS module has the same interface as the HTTP module, with the main difference being that it creates connections using TLS/SSL. This means all the methods and events available in the HTTP module are also available in the HTTPS module.
Formula
The main difference in usage is that HTTPS requires SSL/TLS certificates, while HTTP does not.Formula
HTTPS requires SSL/TLS certificates to establish secure connections. There are several types of certificates:: For development and testing (not trusted by browsers) Domain Validated (DV) : Basic validation, just verifies domain ownership Organization Validated (OV) : Validates organization details Extended Validation (EV) : Highest level of validation, shows company name in browser
: Secures all subdomains of a domain
Formula
Multi - Domain (SAN) Certificates: Secures multiple domains with one certificate
Formula
For development, you can create self - signed certificates using OpenSSL:# Generate a private key (RSA 2048-bit)Formula
openssl genrsa - out key.pem 2048
# Generate a self - signed certificate (valid for 365 days)
openssl req - new - x509 - key key.pem - out cert.pem - days 365 - nodesIf there is no key.pem file present, you need to use the " -newkey " option instead of " -key " in the command above. With Subject Alternative Names (SAN) # Create a config file (san.cnf)
Formula
cat > san.cnf << EOF[req]
Formula
distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no[req_distinguished_name]
Formula
C = US
ST = State
L = City
O = Organization
OU = Organizational Unit
CN = localhost[v3_req]
Formula
keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names[alt_names]
Formula
DNS.1 = localhost
IP.1 = 127.0.0.1# Generate key and certificate with SAN
Formula
openssl req - x509 - nodes - days 365 - newkey rsa:2048 \
- keyout key.pem - out cert.pem - config san.cnf - extensions 'v3_req'