Hardened HTTPS Agent for the Open Source Community cover
Case Study

Hardened HTTPS Agent for the Open Source Community

Reverse EngineeringAI AutomationAgentsOpen Source
Node.jsTypeScriptGitHub Actions

About

Many developers are surprised to learn that Node.js does not validate TLS certificates the same way a browser does. By default, it fails to check if a certificate has been revoked, meaning a Node.js application could successfully connect to a server with a compromised or mis-issued certificate without any warning. While Node.js provides the necessary cryptographic building blocks, it leaves the responsibility of implementing advanced security policies entirely up to the developer.

To solve this critical security gap, I authored hardened-https-agent1, an open-source, security-first https.Agent for Node.js. It provides modern, browser-grade security policies for outbound TLS connections, making it easy for developers to protect their applications against connecting to untrustworthy servers.

One of the most powerful use cases for this library is in trust-minimized environments like Trusted Execution Environments (TEEs). While a TEE provides verifiable computation (proving its logic was executed correctly), it cannot verify the authenticity of incoming network data, leaving it vulnerable to Man-in-the-Middle attacks. By pairing a TEE with hardened-https-agent, developers can achieve verifiable networking, creating a two-fold guarantee that secures the entire data journey. This pattern is foundational for building high-integrity oracles and autonomous AI agents, as demonstrated in the Phala Cloud Oracle Template4.

This library is designed for any Node.js application that needs to reliably verify the authenticity of a remote server.

Work

  • [x] Authored and published hardened-https-agent, a security-focused https.Agent that serves as a drop-in replacement for the default Node.js agent.
  • [x] Implemented a suite of advanced, browser-grade certificate validation checks, including Certificate Transparency (CT), OCSP (Stapling & Direct), and CRLSet.
  • [x] Designed the library with a dual-API approach: a simple https.Agent for easy adoption and a flexible ValidationKit for advanced use cases like securing existing proxy agents.
  • [x] Developed and published two foundational, low-level libraries as part of this effort: sct.js2 for parsing and verifying Signed Certificate Timestamps (SCTs) and crlset.js3 for handling Chrome's aggregated CRL lists.
  • [x] Built a comprehensive test suite, including ports of existing Rust test cases and newly generated suites.

Results

  • Successfully delivered a production-ready, open-source library that solves a critical and often-overlooked security gap in the Node.js ecosystem.
  • The library is designed for high adoption, with a simple drop-in replacement for the default agent, making it easy for developers to harden their applications.

Resources

  1. hardened-https-agent (GitHub)
  2. @gldywn/sct.js (GitHub)
  3. @gldywn/crlset.js (GitHub)
  4. Phala Cloud Oracle Template (GitHub)

This project provides a critical security enhancement for the Node.js ecosystem, making advanced, browser-grade TLS validation accessible to all developers.