node.js v4 gets an A+ for SSL Labs with no configuration

We could have written a blog article about how to configure node, or we could just configure node for everybody.

July 12, 2021
We're Expedited Security. We help SAAS applications prevent and recover from attack, overcome regulatory or integration security requirements or just stop "weird" traffic before it becomes a problem.

While many people use load balancers like haproxy or nginx for larger apps, node has an excellent inbuilt SSL/TLS stack, as well as fast event-based IO for static files. Using a single server can often be more convenient for small apps.

So here's how to configure node.js v4 to pass SSL Labs with an A+: you don't.

Here's the entire HTTPS setup for node 4:

var server = https.createServer({
    key: privateKey,
    cert: certificate,
    ca: certificateAuthority
}, app);

A few months back we wrote about how to configure node.js to pass the SSL labs test. But then we had a thought:

What's better than a configuration guide? Software with secure defaults.

Shortly afterwards CertSimple added newer better ciphers into node.js itself. These are now out of the box in node v4.

Best practices, and thus the SSL Labs test, evolve over time, so this might not always be the case. But right now node has one of the best out of the box SSL setups of any web server.