Step 1: Generate your SSL key and certificate signing request:

Note: you'll have to put the domain name in as the "common name".

openssl req -new -newkey rsa:2048 -nodes -keyout -out

Step 2: Get your certificate

Log into GoDaddy or your friendly neighborhood certificate provider and go through their workflow. If you go with GoDaddy, you will get a zip file to download that contains an and a gd_bundle.crt

Step 3: Set up your node app and HSTS

require("https").createServer(function(req, res){
     res.writeHead(200, {    'Content-Type': 'text/plain', 
     "Strict-Transport-Security": "max-age=604800"});
     res.end('Hello from SSL!\n');
     key: fs.readFileSync('ssl/'),
     cert: fs.readFileSync('ssl/'),
     ca: fs.readFileSync('ssl/gd_bundle.crt') 

This will get your server responding to SSL requests, and will require that future requests use SSL with  HSTS and the "Strict-Transport-Security" header. Sweet.

The HSTS header in the example above is set to last for 604800 seconds, or about a week.  This means that if anyone types in a link to, the browser will automatically change it to *without* going to first! Change 604800 seconds to whatever duration you feel comfortable with.

Unfortunately, we can only specify HSTS from an HTTPS site.  But how do we force SSL if someone comes to our site with plain HTTP ?

Step 4: Setting up redirect 

To set up the redirect, you just call another function to create another server listening on the default www port 80, that includes the redirection status code and 'Location' headers:

require("http").createServer(function(req, res){
     res.writeHead(301, {
       'Content-Type': 'text/plain', 
     res.end('Redirecting to SSL\n');