W
Wasp-lang•2mo ago
Ramon

HTTPS

Hey! I have enabled HTTPS using the following code: main.wasp file: 
server: {
    setupFn: import { initServer } from "@src/server/setup/initServer.js"
  }
server: {
    setupFn: import { initServer } from "@src/server/setup/initServer.js"
  }
initServer.js file: 
import { ServerSetupFn } from 'wasp/server'
import { Application } from 'express'
import https from 'https';
import fs from 'fs';

export const initServer: ServerSetupFn = async ({ app }) => {
  addHttpsServer(app)
}

function addHttpsServer(app: Application) {

  const options = {
    key: fs.readFileSync('/etc/ssl/certs/myapp.key'),
    cert: fs.readFileSync('/etc/ssl/certs/myapp.cert')
  };
  
  https.createServer(options, app).listen(3002, () => {
    console.log('Server is running on port 3002 with HTTPS');
  });
}
import { ServerSetupFn } from 'wasp/server'
import { Application } from 'express'
import https from 'https';
import fs from 'fs';

export const initServer: ServerSetupFn = async ({ app }) => {
  addHttpsServer(app)
}

function addHttpsServer(app: Application) {

  const options = {
    key: fs.readFileSync('/etc/ssl/certs/myapp.key'),
    cert: fs.readFileSync('/etc/ssl/certs/myapp.cert')
  };
  
  https.createServer(options, app).listen(3002, () => {
    console.log('Server is running on port 3002 with HTTPS');
  });
}
Hopefully it can help someone else and I can get some feedback. I then configured my DNS provider to redirect from HTTP to HTTPS. Do you think this is secure enough and the best approach for the current version of WASP? Thank you!
3 Replies
MEE6
MEE6•2mo ago
Wohooo @Ramon, you just became a Waspeteer level 1!
kapa.ai
kapa.ai•2mo ago
Hi @Ramon. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave: ---------------------- Your approach to enabling HTTPS in your Wasp application seems to be a good start. However, it's important to note that security is a complex field and there are many factors to consider. One of the issues raised in the Wasp community was about the use of HTTP for the installation instructions, which was deemed unsafe due to the lack of HTTPS (source (https://github.com/wasp-lang/wasp/issues/325)). This indicates that the use of HTTPS is indeed encouraged in the Wasp community for secure communication. However, there are other aspects to consider for securing your application. For instance, there was a suggestion to use the 'helmet' npm package to make the app more secure (source (https://github.com/wasp-lang/wasp/issues/22)). Another issue raised the need for a more restrictive CORS configuration (source (https://github.com/wasp-lang/wasp/issues/94)). In conclusion, while enabling HTTPS is a crucial step towards securing your application, it's also important to consider other security practices. You might want to look into the issues mentioned above and see if they apply to your application. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @Ramon, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
miho
miho•2mo ago
Usually Wasp apps are running behind a reverse proxy like Nginx or Apache or Caddy or whichever proxy Fly or Railway use when you deploy on those kind of managed hosting platforms. This means the SSL termination (fancy way of saying who handles HTTPS) is usually done by a layer in front of the Wasp app and not the Wasp server or client directly. The way you did it is also fine, but it's not something we had in mind when building Wasp so let us know if you have any issues with it so we can improve our support for it 🙂
Want results from more Discord servers?
Add your server