Quote:
Originally Posted by goofyballer
I has some questions about HTTPS. I added login w/ google accounts to my little project (this and this were great tutorials on setting that up w/ passport), and I figure that when sending things like Google login tokens or whatever around I should probably do so securely. I discovered that with the place I'm hosting my website, if I just put "https" in front of the URL instead of "http", everything seems to just work without any changes on my end, but this seems almost too easy and therefore I'm suspicious of it.
This is actually how stripe and other payment processors work.
So, questions:
Quote:
- Should this work? Am I really in the clear for HTTPS just by using a magic server that apparently lets either protocol work for me?
A server, as you may know, is basically a computer with ports that allows outside traffic in.
Port 80 is the standard public-facing HTTP port.
Port 443 is the port used for HTTPS.
Port [3000 | 8080 | etc] is the port you are using with an app server like Jetty, etc. I'm not sure what the defaults are for Node, but I don't ever use the default ports if I can help it. I'm going to use 3000.
If you are using a proxy server like nginx or apache, the inbound traffic is coming in at port 80. When you have HTTPs set up, you are redirecting 80 -> 443 -> 3000.
Quote:
- I added a middleware package that auto redirects any HTTP request to HTTPS. However, in the course of the many StackOverflow links I've read while working on this authentication stuff, one thing I saw was that I should be careful about cookies w/ identifying session information being sent over HTTP and I should make sure cookies are only sent via HTTPS. According to express-session documentation I can do that with session options but they have this caveat:
Please note that secure: true is a recommended option. However, it requires an https-enabled website, i.e., HTTPS is necessary for secure cookies. If secure is set, and you access your site over HTTP, the cookie will not be set. If you have your node.js behind a proxy and are using secure: true, you need to set "trust proxy" in express:
This is where I'm kinda getting into "I have no idea what I'm doing" territory - how would I figure out if this is the setup my host has? Additionally, since I mentioned I've made no changes to my code to account for HTTPS, does the fact that I'm still listening on a plain old `http` server rather than `https` mean that none of this will work at all if I enable that setting?
The caveat is basically what I wrote above. When you are using the middleware, you are redirecting 80 -> 443 -> 3000 using middleware instead of nginx / apache. Your site will always redirect away from port 80, so accessing HTTP, as you have it set up, isn't possible...
It
can be an issue if your cert expires, there is some misconfig, etc, which would temporarily force your app to be served on HTTP. That's all
HTTPS is necessary for secure cookies. If secure is set, and you access your site over HTTP, the cookie will not be set is saying. This means that, if you have an HTTPs problem, you will have to rebuild your app with the new params until it can be served on HTTPs again.
I don't know all the specifics here, but
If you have your node.js behind a proxy and are using secure: true, you need to set "trust proxy" in express: is saying "if you are using nginx / apache / etc and you are redirecting 80 -> 443 -> 3000, you need to add a param to add the 'trust proxy' param."
Hope all that helps. My personal tastes is to use a proxy server and skip redirecting middleware. The other option is using one of CloudFlare's certs, which is included in their free tier. I'm pretty sure they are better at dealing with certs than I am.