I am hosting my node.js + Express app https://morningfa.me on Modulus and without question everything must go through https. This is the full picture of how I set it up.

1. Redirecting to HTTPS

   In the admin panel I activated Modulus' redirection feature so that any http requests will be redirected.
   

   Since Modulus has a proxy that does SSL termination my app can still require(http). The https module is not needed.

2. Getting my own SSL certificate

   After the first step I couldn't access my domain morningfa.me without a security violation in the browser anymore. I had to buy a SSL certificate for the domain "www.morningfa.me". This is automatically also valid for "morningfa.me".

   Modulus has a great guide on how to buy and install the certificate. After following those steps my configuration looked like this:

   

   BTW, I pasted the same private key and certificate for both entries in the custom SSL section. To test if everything is properly configured I used Symantec's tester which actually helps you to fix problems and afterwards I used Qualys SLL Labs for a more advanced look.

3. Redirecting WWW to non-WWW

   I prefer to use "morningfa.me" instead of "www.morningfa.me" so I needed a redirection mechanism. The other way around would be easy but this is actually a little tough due to limitations of the DNS entries.

   I configured two DNS A-record entries in my domain settings. I registered my domain with Bluehost where these entries look like this:

   

   Depending on where you bought your domain your configuration may look a little different. Anyway, the IPs you need to use are listed here.

   At this point both "morningfa.me" and "www.morningfa.me" are forwarded to the Modulus servers and don't show security violations in the browser anymore. To finally redirect www to non-www URLs I added a small Express middleware:

   app.use(function (req, res, next) {
       if (req.headers.host.match(/^www\./i)) {
           res.redirect(301,
               'https://' + req.headers.host.substr(4) + req.url
           );
       } else {
           return next();
       }
   });
   

4. Securing the Session Cookie

   I use Express-Session that sends a cookie to the browser. Since I am only using HTTPS I can improve the security by marking the cookie as secure. This way the browser will only send the cookie over the wire when a secure connection is made.

The session parameters needed to use a secure cookie on Modulus are the following:

``` js
app.use(session({
// ...
cookie: {
// ...
secure: true
},
proxy: true
}));

That's it. Hope it helps. And if you got stuck somewhere let me know in the comments and I will fill in the blanks.