Security

Security is as strong as the weakest link, and the first link in that chain is the network protocol.

• NodeJS Security checklist

HTTPS

HTTP Secure

In the Internet it is possible for third party to intercept packets being transmitted between clients and servers. HTTPS encrypts those packets.

• HTTPS is considered sufficiently secure for banking, corporate security and healthcare
• The server has a public key certificate sometimes called SSL certificate.
• X.509 is a standard format for SSL certificates.

Certificate authorities

A certificate authority (CA) makes trusted root certificates available to browser vendors.

• Browser vendors include these trusted root certificates when you install a browser.
• For this chain of trust to work between CA and browsers, your server must use a certificate issued by a CA.
• browsers will only trust certificates generated by a known CA. Otherwise it will warn the user that the SSL certificate is untrusted.

Generating your own certificate

Install OpenSSL

• OSX brew install openssl
• Ubuntu sudo apt-get install openssl

Generate a private key and a public certificate

• openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout meadowlark.pem -out meadowlark.crt

A PEM is a Privacy-enhanced Electronic Mail file which is the private key. The CRT file is self-signed certificate that will be sent to the browser to establish the secure connection.

Ref

• OpenSSL docs

Purchasing a Certificate

90% of the 50 root certificates distributed with every major browser are owned by four companies

• Symantec (who purchased VeriSign)
• Comodo Group
• Go Daddy
• GlobalSign

A certificate can cost from $10 to $300 per year

• the encryption level is the same in all prices
• the customer support varies depending on the price

Avoid chained root certificates since they are more difficult to setup.

Certificate extensions

• .crt, .cer, or .der
• DER stands for Distinguished Encoding Rules

Private key extensions

• .pem and .key

Enabling HTTPS for your Express App

When creating a server this will be the normal way:

http.createServer(app).listen(app.get('port'), function() {
  console.log('Express started in ' + app.get('env') + ' mode on port ' + app.get('port') + '.')
})

Switching to HTTPS will be:

var https = require('https')

var options = {
  key: fs.readFileSync(__dirname + '/ssl/meadowlark.pem'),
  cert: fs.readFileSync(__dirname + '/ssl/meadowlark.crt')
}
https.createServer(options, app).listen(app.get('port'), function () {
  console.log('Express started in ' + app.get('env') + ' mode on port ' + app.get('port') + '.')
})

Ports

• HTTP runs on port 80
• HTTPS runs on port 443

Using proxies

• HTTP header x-forwarded-proto contains the type of protocol used
• set express to app.enable('trust proxy') so req.protocol, req.secure and req.ip will refer to the client's connection to the proxy, not to your app

Cross-Site Request Forgery (CSRF)

A malicious site will try to check if you are logged in into a session of other site eg. a bank and try to make request on your behalf.

• you can use npm package csurf to generate unique token to include in forms and Ajax calls so the server knows the request comes from your website.