🔒
EPISODE 04
TLS · env vars · .env · CSP · HSTS · helmet
HTTPS, Secrets & Headers
Encrypt traffic with HTTPS, keep secrets out of git, and harden HTTP responses with the right headers (CSP, HSTS, X-Frame-Options).
HTTPSTLS.envheadershelmetHSTS
Duration
⏱ About 1.5 hours
Level
📊 Intermediate
Prerequisite
🎯 node-04
OUTCOME
Production-grade headers and zero secrets in source control
What you'll learn
- 1Serve every page over HTTPS
- 2Use environment variables for secrets, never commit .env
- 3Apply HSTS to force HTTPS
- 4Use helmet in Express for sensible defaults
1. HTTPS Everywhere
- Vercel / Netlify give you HTTPS automatically
- On a VPS, use Caddy or Certbot (Let's Encrypt) — free certificates
- Set HSTS to force HTTPS on revisits
text
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload2. Secrets in .env
text
# .env (never committed)
DATABASE_URL=postgres://...
JWT_SECRET=...
STRIPE_KEY=...
# .gitignore
.env
.env.localjavascript
import "dotenv/config";
const dbUrl = process.env.DATABASE_URL;⚠️
If you ever commit a secret, ROTATE it immediately. Removing the commit does not help — git history is forever.
3. Security Headers (Express + helmet)
javascript
import helmet from "helmet";
app.use(helmet()); // sane defaults: CSP, HSTS, frameguard, noSniff, etc.| Header | Effect |
|---|---|
| Content-Security-Policy | Limits what scripts/styles/etc. can run |
| Strict-Transport-Security | Force HTTPS |
| X-Content-Type-Options: nosniff | Stop MIME sniffing |
| X-Frame-Options: DENY | Prevent clickjacking |
| Referrer-Policy | Limit Referer leaks |
4. Final Checklist Before Shipping
- HTTPS on every endpoint
- Secrets in env vars, never in code
- Strong password hashing (bcrypt, argon2)
- Rate-limit login and signup endpoints
- Log security events (failed logins, role changes)
- Keep dependencies updated (npm audit)
Example code / lecture materials
All lecture materials and example code are openly available on GitHub.
View on GitHub ↗