TLS Configuration
Rezo gives you full control over TLS/SSL settings for HTTPS connections. You can specify CA certificates, client certificates for mutual TLS, version constraints, and server certificate validation rules.
Custom CA Certificates
To trust a private or self-signed certificate authority, provide the CA certificate:
import rezo from 'rezo';
import fs from 'node:fs';
// Single CA
await rezo.get('https://internal.company.com/api', {
ca: fs.readFileSync('/path/to/ca.pem'),
});
// Multiple CAs
await rezo.get('https://internal.company.com/api', {
ca: [
fs.readFileSync('/path/to/ca1.pem'),
fs.readFileSync('/path/to/ca2.pem'),
],
});
// Inline PEM string
await rezo.get('https://internal.company.com/api', {
ca: `-----BEGIN CERTIFICATE-----
MIID...
-----END CERTIFICATE-----`,
});Client Certificates (mTLS)
For mutual TLS authentication where the server requires the client to present a certificate:
import { Rezo } from 'rezo';
const client = new Rezo({
baseURL: 'https://secure.internal.company.com',
cert: fs.readFileSync('/path/to/client.crt'),
key: fs.readFileSync('/path/to/client.key'),
});
await client.get('/api/sensitive-data');PKCS#12 Bundles
For certificates bundled in .p12 or .pfx format:
await rezo.get(url, {
pfx: fs.readFileSync('/path/to/certificate.p12'),
passphrase: 'bundle-password',
});Accepting Self-Signed Certificates
By default, Rezo validates the server’s certificate chain. To skip validation during development:
await rezo.get('https://localhost:8443/api', {
rejectUnauthorized: false,
});Warning: Never set rejectUnauthorized: false in production. It disables all certificate validation, allowing connections to servers with expired, self-signed, or otherwise invalid certificates.
TLS Version Constraints
Restrict which TLS protocol versions are allowed:
const client = new Rezo({
minVersion: 'TLSv1.2', // Reject TLS 1.0 and 1.1
maxVersion: 'TLSv1.3', // Allow TLS 1.3 if the server supports it
});Valid values: 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'.
For most applications, setting minVersion: 'TLSv1.2' is recommended to avoid deprecated protocol versions.
Server Certificate Validation
Pin requests to a specific certificate subject, issuer, or fingerprint:
await rezo.get('https://api.example.com', {
serverCertificateValidation: {
subject: 'api.example.com',
issuer: "Let's Encrypt Authority X3",
fingerprint: 'SHA256:2C:78:FF:...',
hostname: 'api.example.com',
},
});Certificate Pinning
For maximum security, pin to a known certificate fingerprint:
const client = new Rezo({
baseURL: 'https://api.bank.com',
serverCertificateValidation: {
fingerprint: 'SHA256:2C:78:FF:...',
},
});
// Requests will fail if the server presents a different certificate
await client.get('/account/balance');Instance-Level TLS Defaults
Set TLS options on a Rezo instance so they apply to all requests:
const client = new Rezo({
baseURL: 'https://api.example.com',
ca: fs.readFileSync('/path/to/corporate-ca.pem'),
minVersion: 'TLSv1.2',
});
// All requests use the corporate CA and TLS 1.2+
await client.get('/users');
await client.post('/data', { key: 'value' });Per-Request TLS Override
Override instance-level TLS settings for a specific request:
const client = new Rezo({
ca: corporateCA,
rejectUnauthorized: true,
});
// This request uses a different CA and client certificate
await client.get('https://partner-api.com/data', {
ca: partnerCA,
cert: clientCert,
key: clientKey,
});Stealth Profiles and TLS
When using Rezo’s stealth module, TLS settings are configured automatically to match a real browser’s fingerprint. You do not need to set any TLS options manually:
import { Rezo, RezoStealth } from 'rezo';
const stealth = new RezoStealth({ profile: 'chrome-131' });
const config = stealth.resolve();
const client = new Rezo();
await client.get('https://example.com', config);
// TLS is configured to match Chrome 131's handshake automaticallyStealth profiles set the appropriate protocol versions, and protocol preferences to match the selected browser. See the Stealth documentation for details.
Debugging TLS
Enable debug mode to inspect the TLS connection:
const response = await rezo.get('https://example.com', {
debug: true,
});
// [Rezo Debug] TLS: TLSv1.3, TLS_AES_128_GCM_SHA256
// [Rezo Debug] Certificate: CN=example.com, Issuer: Let's EncryptSee Socket Telemetry for programmatic access to TLS connection details.