Either:

1. Generate an encryption key during startup and put it in the URL. This has the disadvantage that if the user needs to type the URL, it will be longer. Or...
2. Generate an encryption key and send it to the FIRST user that connects and loads the page. Then set the key in that user's local storage, and never send it again from the backend. The user will then use this key. Reset key next session. Maybe show a simple challenge (4 digit PIN) on the server, and make the client type this before handing the key.

After the key has been exchanged, we can encrypt all requests and responses, maybe similar to this:
https://github.com/mwiesmueller/express-crypto

Need to also verify that every request is coming from the one sender

In any case if an attacker sniffs the initial key exchange, they can intercept the data being sent

https://tools.ietf.org/html/rfc8188