Security

    In the Internet it is possible for third party to intercept packets being transmitted between clients and servers. HTTPS encrypts those packets.

    • HTTPS is considered sufficiently secure for banking, corporate security and healthcare
    • The server has a public key certificate sometimes called SSL certificate.
    • is a standard format for SSL certificates.
    • For this chain of trust to work between CA and browsers, your server must use a certificate issued by a CA.
    • browsers will only trust certificates generated by a known CA. Otherwise it will warn the user that the SSL certificate is untrusted.

    Install OpenSSL

    • OSX brew install openssl
    • Ubuntu sudo apt-get install openssl
    • openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout meadowlark.pem -out meadowlark.crt

    Ref

    90% of the 50 root certificates distributed with every major browser are owned by four companies

    • Symantec (who purchased VeriSign)
    • Comodo Group
    • Go Daddy
    • GlobalSign

    A certificate can cost from $10 to $300 per year

    • the encryption level is the same in all prices
    • the customer support varies depending on the price

    Avoid chained root certificates since they are more difficult to setup.

    • .crt, .cer, or .der

    Private key extensions

    • and .key

    When creating a server this will be the normal way:

    Switching to HTTPS will be:

    1. var https = require('https')
    3. var options = {
    4.   key: fs.readFileSync(__dirname + '/ssl/meadowlark.pem'),
    5.   cert: fs.readFileSync(__dirname + '/ssl/meadowlark.crt')
    7. https.createServer(options, app).listen(app.get('port'), function () {
    8.   console.log('Express started in ' + app.get('env') + ' mode on port ' + app.get('port') + '.')
    9. })

    Ports

    • HTTP runs on port 80
    • HTTPS runs on port 443

    Using proxies

    • HTTP header x-forwarded-proto contains the type of protocol used

    Cross-Site Request Forgery (CSRF)

    • you can use npm package csurf to generate unique token to include in forms and Ajax calls so the server knows the request comes from your website.