Problem
Backend has no HTTPS enforcement or secure cookie configuration. If deployed without reverse proxy HTTPS, credentials transmitted in plaintext.
Technical Details
File: backend/routes/auth.js, backend/server.js
No visible HTTPS enforcement, secure cookie flags, or HSTS headers.
Risk
- Plaintext credential transmission if reverse proxy not configured
- Man-in-the-middle attacks on login
- Session cookies transmitted insecurely
- User credentials exposed on unencrypted networks
Recommended Solution
Enforce HTTPS and secure cookies:
// In server setup (backend/server.js)
const express = require('express');
const session = require('express-session');
const app = express();
// HTTPS enforcement
if (process.env.NODE_ENV === 'production') {
// Force HTTPS
app.use((req, res, next) => {
if (req.header('x-forwarded-proto') !== 'https') {
res.redirect(\`https://\${req.header('host')}\${req.url}\`);
} else {
next();
}
});
// HSTS header
app.use((req, res, next) => {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
next();
});
}
// Secure session cookies
app.use(session({
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
cookie: {
secure: process.env.NODE_ENV === 'production', // HTTPS only
httpOnly: true, // No JS access
sameSite: 'strict', // CSRF protection
maxAge: 24 * 60 * 60 * 1000 // 24 hours
}
}));
app.use(passport.initialize());
app.use(passport.session());
Testing Strategy
Program Template
Suggested Labels
security, https, encryption, deployment, gssoc-eligible
Problem
Backend has no HTTPS enforcement or secure cookie configuration. If deployed without reverse proxy HTTPS, credentials transmitted in plaintext.
Technical Details
File:
backend/routes/auth.js,backend/server.jsNo visible HTTPS enforcement, secure cookie flags, or HSTS headers.
Risk
Recommended Solution
Enforce HTTPS and secure cookies:
Testing Strategy
Program Template
Suggested Labels
security, https, encryption, deployment, gssoc-eligible