NodeJS err-ssl-protocol-error in http server

Question

I've http server and i don't know why it doesn't run;

index.js file:

const express = require("express");
const app = (global.app = express());
const helmet = require("helmet");
const server = require("http").createServer(app);
const io = (global.io = require("socket.io")(server));
const config = require("./config.js");

//Middleware
app.use(helmet());
app.use(express.json());
app.use(express.urlencoded({ extended: false }));

require("./socket")(io);
require("./router")(app);

server.listen(config.PORT, () => console.log(`Listen on port ${config.PORT}...`));

router file:

const express = require("express");
const path = require("path");

module.exports = (app) => {
  app.use(express.static(path.join(__dirname, "/../public/main")));
  app.use("/board/:id", express.static(path.join(__dirname, "/../public/paint")));
  app.get("*", (req, res) => {
    res.status(404).sendFile(path.join(__dirname, "/../", "/public/404/404.html"));
  });
};

Chrome show errors:

GET https://10.0.1.55:5000/board/jsdbf/style.css net::ERR_SSL_PROTOCOL_ERROR
GET https://10.0.1.55:5000/socket.io/socket.io.js net::ERR_SSL_PROTOCOL_ERROR

for all js, css and imgs. index.html is loaded corectly.

Answer 1

Helmet is a package that adds content-security-policies and response headers to your API replies. The content-security-policy header was set to a default value, which contained a CSP header of "upgrade-insecure-requests." The queries for the style files were redirected from http to https as a result of this net::ERR_SSL_PROTOCOL_ERROR.

When applying helmet to your application, you may overcome the problem by adding the following logic.

const cspDefaults = helmet.contentSecurityPolicy.getDefaultDirectives();
delete cspDefaults['upgrade-insecure-requests'];

app.use(helmet({
    contentSecurityPolicy: { directives: cspDefaults }
}));

Answer 2

I am not a 100% expert in Content Security Policy but I noticed something.

As Benjamin Lemoine pointed out, the net::ERR_SSL_PROTOCOL_ERROR problem appears when using helmet (app.use(helmet())). I do not think that the solution is to not use helmet at all because it provides security for the application.

After performing a brute force of all helmet middlewares (contentSecurityPolicy, dnsPrefetchControl, expectCt, frameguard, etc), I found out that contentSecurityPolicy was creating the error. The WDN docs say that the upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS).

So to solve the problem and use helmet at the same time I changed this:

app.use( helmet() );

to this:

app.use( helmet() );
app.use(helmet.contentSecurityPolicy({
  directives: {
    ...defaultDirectives,
  },
}));

This way I am still using helmet but the CSP directives are not forcing HTPP to HTTPS. Please keep in mind that the upgrade-insecure-requests directive should be set on production environments.