test(server): prove in-process HTTPS over real TLS + document edge-termination posture#252
Merged
Conversation
…ument edge-termination posture Adds tests/integration/httpsListener.test.js: loads dev credentials, stands up createHttpsServer, and issues a genuine TLS request asserting HTTP 200 and socket.encrypted === true. Until now createHttpsServer was only ever mocked, so the HTTPS-first claim had no end-to-end coverage. Documents in DEVELOPMENT.md why the managed deployment runs with TLS_ENABLED=false (TLS terminates at the platform edge) while the project stays HTTPS-first by default, adds the TLS_ENABLED env var, and expands TRUST_PROXY_HOPS guidance (must match ingress hops; governs req.secure / redirect / secure cookies / HSTS behind the edge; raise it behind a further proxy or CDN).
…ation Trust the server's own self-signed certificate as the CA and connect by its SAN hostname, so the handshake is fully verified. Removes the rejectUnauthorized:false bypass CodeQL flagged (js/disabling-certificate-validation) and makes the test stricter.
Generate the self-signed localhost cert with selfsigned directly instead of the file-capable loader, so the trusted CA never originates from disk. Clears the CodeQL 'file data in outbound network request' finding while keeping full TLS validation; loadTlsCredentials keeps its own unit coverage.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Two gaps surfaced while reviewing the HTTPS posture after the Node 24 cutover:
createHttpsServer(https.createServer({key,cert}, app)) was only ever mocked instartApplicationRuntime.test.js; no test performed a real TLS handshake. The "HTTPS-first" claim had unit coverage for cert-loading and HTTP→HTTPS redirect enforcement, but nothing proving the listener itself serves TLS.TLS_ENABLED=false(HTTP-only on$PORT) — that needs a written rationale so it doesn't read as a security downgrade.What
tests/integration/httpsListener.test.js— loads dev credentials vialoadTlsCredentials(), stands up the realcreateHttpsServer, starts it on an ephemeral port, and issues a genuinehttpsrequest. Asserts200, the app seesreq.secure === true, and — decisively —socket.encrypted === truewith aTLSv1.xprotocol. Runs in the CItest:cicomposed lane.DEVELOPMENT.md:X-Forwarded-Proto, HSTS via helmet); the managed deploy runsTLS_ENABLED=falsebecause TLS terminates at the platform edge; public traffic stays HTTPS end-to-end and enforcement still holds behind the edge.TLS_ENABLEDenv var and marksTLS_KEY/TLS_CERT/TLS_PORTas not required when it's off.TRUST_PROXY_HOPS: must equal the ingress hop count, governsreq.secure/ redirect / secure cookies / HSTS behind the edge, set it explicitly on the service, and raise it behind a further proxy/CDN.