Setting up SSL, HSTS and an http -> https redirect with node. October 6, 2011

Step 1: Generate your SSL key and certificate signing request:

Note: you'll have to put the domain name in as the "common name".

openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

Step 2: Get your certificate

Log into GoDaddy or your friendly neighborhood certificate provider and go through their workflow. If you go with GoDaddy, you will get a zip file to download that contains an example.com.crt and a gd_bundle.crt

Step 3: Set up your node app and HSTS

require("https").createServer(function(req, res){
     res.writeHead(200, {    'Content-Type': 'text/plain', 
     "Strict-Transport-Security": "max-age=604800"});
     res.end('Hello from SSL!\n');
   },{     
     key: fs.readFileSync('ssl/example.com.key'),
     cert: fs.readFileSync('ssl/example.com.crt'),
     ca: fs.readFileSync('ssl/gd_bundle.crt') 
   }).listen(443);

This will get your server responding to SSL requests, and will require that future requests use SSL with  HSTS and the "Strict-Transport-Security" header. Sweet.

The HSTS header in the example above is set to last for 604800 seconds, or about a week.  This means that if anyone types in a link to http://example.com, the browser will automatically change it to https://example.com *without* going to http://example.com first! Change 604800 seconds to whatever duration you feel comfortable with.

Unfortunately, we can only specify HSTS from an HTTPS site.  But how do we force SSL if someone comes to our site with plain HTTP ?

Step 4: Setting up redirect 

To set up the redirect, you just call another function to create another server listening on the default www port 80, that includes the redirection status code and 'Location' headers:

require("http").createServer(function(req, res){
     res.writeHead(301, {
       'Content-Type': 'text/plain', 
       'Location':'https://'+req.headers.host+req.url
     res.end('Redirecting to SSL\n');
  }).listen(80);