Like @luk2302 commented, you should think carefully about why you would want to do this.

In most cases, it is good enough to rely on the security provided by HTTPS. It keeps your application simple and provides a high level of security. A few things to note for the server side:

• Do not serve application traffic over HTTP - it should all be redirected to HTTPS.
• Use HSTS to ensure browsers force HTTPS.
• Do not store user passwords in plain text or encrypted, hash the password and compare the hash.

In cases where you anticipate greater risk, such as cases where users are more vulnerable to social engineering attacks, you should implement an additional layer of protection that significantly increases the complexity of an MitM attack. If a user installs a malicious certificate and sends traffic through a malicious proxy, an attacker could steal the user's credentials via an MitM attack. In such cases, implementing additional encryption may be necessary.

For such situations, negotiating a secure key exchange process and using public key cryptography over HTTPS should solve your needs. You can research ECDH for more information.