Security

Security is as strong as the weakest link, and the first link in that chain is the network protocol.

HTTPS

HTTP Secure

In the Internet it is possible for third party to intercept packets being transmitted between clients and servers. HTTPS encrypts those packets.

  • HTTPS is considered sufficiently secure for banking, corporate security and healthcare
  • The server has a public key certificate sometimes called SSL certificate.
  • X.509 is a standard format for SSL certificates.

Certificate authorities

A certificate authority (CA) makes trusted root certificates available to browser vendors.

  • Browser vendors include these trusted root certificates when you install a browser.
  • For this chain of trust to work between CA and browsers, your server must use a certificate issued by a CA.
  • browsers will only trust certificates generated by a known CA. Otherwise it will warn the user that the SSL certificate is untrusted.

Generating your own certificate

Install OpenSSL

  • OSX brew install openssl
  • Ubuntu sudo apt-get install openssl

Generate a private key and a public certificate

  • openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout meadowlark.pem -out meadowlark.crt

A PEM is a Privacy-enhanced Electronic Mail file which is the private key. The CRT file is self-signed certificate that will be sent to the browser to establish the secure connection.

Ref

Purchasing a Certificate

90% of the 50 root certificates distributed with every major browser are owned by four companies

  • Symantec (who purchased VeriSign)
  • Comodo Group
  • Go Daddy
  • GlobalSign

A certificate can cost from $10 to $300 per year

  • the encryption level is the same in all prices
  • the customer support varies depending on the price

Avoid chained root certificates since they are more difficult to setup.

Certificate extensions

  • .crt, .cer, or .der
  • DER stands for Distinguished Encoding Rules

Private key extensions

  • .pem and .key

Enabling HTTPS for your Express App

When creating a server this will be the normal way:

  1. http.createServer(app).listen(app.get('port'), function() {
  2. console.log('Express started in ' + app.get('env') + ' mode on port ' + app.get('port') + '.')
  3. })

Switching to HTTPS will be:

  1. var https = require('https')
  2. var options = {
  3. key: fs.readFileSync(__dirname + '/ssl/meadowlark.pem'),
  4. cert: fs.readFileSync(__dirname + '/ssl/meadowlark.crt')
  5. }
  6. https.createServer(options, app).listen(app.get('port'), function () {
  7. console.log('Express started in ' + app.get('env') + ' mode on port ' + app.get('port') + '.')
  8. })

Ports

  • HTTP runs on port 80
  • HTTPS runs on port 443

Using proxies

  • HTTP header x-forwarded-proto contains the type of protocol used
  • set express to app.enable('trust proxy') so req.protocol, req.secure and req.ip will refer to the client’s connection to the proxy, not to your app

Cross-Site Request Forgery (CSRF)

A malicious site will try to check if you are logged in into a session of other site eg. a bank and try to make request on your behalf.

  • you can use npm package csurf to generate unique token to include in forms and Ajax calls so the server knows the request comes from your website.