node.js v4 gets an A+ for SSL Labs with no configuration

January 25, 2020

We could have written a blog article about how to configure node, or we could just configure node for everybody.

an image

By Mike on 29th Oct 2015

While many people use load balancers like haproxy or nginx for larger apps, node has an excellent inbuilt SSL/TLS stack, as well as fast event-based IO for static files. Using a single server can often be more convenient for small apps.

So here's how to configure node.js v4 to pass SSL Labs with an A+: you don't.

Here's the entire HTTPS setup for node 4:

var server = https.createServer({
    key: privateKey,
    cert: certificate,
    ca: certificateAuthority
}, app);

A few months back we wrote about how to configure node.js to pass the SSL labs test. But then we had a thought:

What's better than a configuration guide? Software with secure defaults.

Shortly afterwards CertSimple added newer better ciphers into node.js itself. These are now out of the box in node v4.

Best practices, and thus the SSL Labs test, evolve over time, so this might not always be the case. But right now node has one of the best out of the box SSL setups of any web server.