From 55795710d9f3f2f89a15d43c3027568954ff0ac2 Mon Sep 17 00:00:00 2001
From: Jordan Ramos <jordan.ramos@spectrum.com>
Date: Fri, 19 Jun 2026 14:44:04 -0600
Subject: [PATCH] Add TLS/HTTPS support with auto-detection

- Server auto-detects cert/key in backend/certs/ and starts HTTPS
- Falls back to plain HTTP if no certs found or TLS_ENABLED=false
- Self-signed cert generated for dev (365-day, gitignored)
- Added TLS env vars to .env.example
- Frontend rebuilt with https:// API URLs for dev server
---
 backend/.env.example |  8 ++++++++
 backend/.gitignore   |  3 +++
 backend/server.js    | 32 +++++++++++++++++++++++++++-----
 3 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/backend/.env.example b/backend/.env.example
index 3a8f7b6..b006b78 100644
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -80,3 +80,11 @@ GITLAB_PAT=
 # Generate with: openssl rand -hex 20
 GITLAB_WEBHOOK_SECRET=changeme_generate_a_random_secret
 
+
+# TLS / HTTPS Configuration
+# If cert and key files exist at the paths below, the server starts with HTTPS.
+# Set TLS_ENABLED=false to force plain HTTP even when certs are present.
+# Generate a self-signed cert: openssl req -x509 -newkey rsa:2048 -keyout certs/key.pem -out certs/cert.pem -days 365 -nodes -subj "/CN=cve-dashboard.local"
+TLS_ENABLED=true
+TLS_CERT=certs/cert.pem
+TLS_KEY=certs/key.pem
diff --git a/backend/.gitignore b/backend/.gitignore
index 0a6c76f..9fccb7c 100644
--- a/backend/.gitignore
+++ b/backend/.gitignore
@@ -3,3 +3,6 @@
 backend/fix_multivendor_constraint.js
 backend/migrate_multivendor.js
 backend/add_vendor_to_documents.js
+
+# TLS certificates (self-signed or CA-issued)
+certs/
diff --git a/backend/server.js b/backend/server.js
index b1689f5..db06dcc 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -1203,8 +1203,30 @@ if (fs.existsSync(frontendBuild)) {
     });
 }
 
-// Start server
-app.listen(PORT, () => {
-    console.log(`CVE API server running on http://${API_HOST}:${PORT}`);
-    console.log(`CORS origins: ${CORS_ORIGINS.join(', ')}`);
-});
+// Start server — use HTTPS if TLS cert/key are available, otherwise plain HTTP
+const TLS_CERT = process.env.TLS_CERT || path.join(__dirname, 'certs', 'cert.pem');
+const TLS_KEY = process.env.TLS_KEY || path.join(__dirname, 'certs', 'key.pem');
+const TLS_ENABLED = process.env.TLS_ENABLED !== 'false' && fs.existsSync(TLS_CERT) && fs.existsSync(TLS_KEY);
+
+if (TLS_ENABLED) {
+    const https = require('https');
+    const httpsOptions = {
+        cert: fs.readFileSync(TLS_CERT),
+        key: fs.readFileSync(TLS_KEY),
+    };
+    https.createServer(httpsOptions, app).listen(PORT, () => {
+        console.log(`CVE API server running on https://${API_HOST}:${PORT}`);
+        console.log(`TLS: enabled (cert: ${TLS_CERT})`);
+        console.log(`CORS origins: ${CORS_ORIGINS.join(', ')}`);
+    });
+} else {
+    app.listen(PORT, () => {
+        console.log(`CVE API server running on http://${API_HOST}:${PORT}`);
+        if (!fs.existsSync(TLS_CERT) || !fs.existsSync(TLS_KEY)) {
+            console.log('TLS: disabled (no certs found in backend/certs/)');
+        } else {
+            console.log('TLS: disabled (TLS_ENABLED=false)');
+        }
+        console.log(`CORS origins: ${CORS_ORIGINS.join(', ')}`);
+    });
+}