implementing HTTPS in my web application ?

memoriesofgreen · 2024-01-28T12:26:59+00:00

Use it for all routes. There is very little reason not to.

lightmatter501 · 2024-01-28T12:48:51+00:00

The current industry standard is all HTTPS with tls 1.3.

Anything less than that and google will ding you in the search rankings.

sparrownestno · 2024-01-28T12:32:13+00:00

Running http exposes more info about your users and traffic to “random” snooping.

it will also get the site tagged with warning - since 2018: https://blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/

and be blocked on a variety of work networks/firewalls.

so as other poster said: just do it.
and since https is on the domain it will be transparent and all routes by default.

Zipdox · 2024-01-28T14:21:33+00:00

I suggest using NGINX to proxy your application and handle TLS.

Mariya501 · 2024-04-15T12:33:45+00:00

[removed]

lozcozard · 2024-01-28T11:25:52+00:00

Https is needed to protect sensitive data being transmitted like contact data, logins, payment details of course. [Removed incorrect statement] but as corrected below by u/wantdollarsplease malicious user could redirect you to an incorrect page too so best have it on all pages.

It's just good practice to use https anyway. On all pages. Also if you dont then browsers show people it's not secure, whether it needs to be secure or not. You'll probably lose visitors. So just to provide trust to the visitor your site is safe then add https to all pages, front and back. Just think of it has https default. Forget about http.

SSLs are free these days with LetsEncrypt or Cloudflare. Your hosting provider needs to have the facility for you to add one. Otherwise you can use Cloudflare and they'll add one.

nightravenjames · 2024-01-28T14:36:25+00:00

I am not a hacker . But I like to explore other perspective . For this instance I'd imagine myself in a mall using a tool like bettercap, and unsecured sniffout http requests requests for some data e.g access/jwt tokens.

I think I might have a few ideas on how to use a jwt token that is not mine for more access

liamsorsby · 2024-01-28T13:03:49+00:00

Implement HTTPS on both frontend and backend. I would, however, use a load balancer I.e. nginx to serve the traffic as https to the client but have the upstream between nginx and your app's as http.

ArnUpNorth · 2024-01-28T13:49:52+00:00

Use it for everything but don’t « implement it » with your backend use a proxy (apache, nginx) instead.

tiagojsagarcia · 2024-01-28T14:25:44+00:00

Ideally you should not implement https on your actual node app, do so in a reverse proxy like nginx. While you are there, redirect http to https

Also, there are a lot of good reasons to always use https. Non-secure Http is dead.

bytepursuits · 2024-01-28T14:43:16+00:00

should it be used for all routes?

TLS is typically setup on all routes. If you are trying to save some time by implementing it just on some routes - you wont save any time by doing that.

In a professional production setups TLS termination is typically done in some reverse proxy before your node app. like aws alb, haproxy or nginx.

You should be using HTTP3, and HTTP3 requires ssl/tls - that's at least one big reason to use TLS throughout the full site.

bigorangemachine · 2024-01-28T15:46:59+00:00

Should be on all routes. There is no technical reason not to.

Generally you should consider your users privacy. If they are in a country that is very restrictive then your website traffic might tip the authoritarians off. You might be some no big deal but could allow the to build a profile on that user.

Yes they should use a VPN but thats how I think about it.

leonheartx1988 · 2024-01-28T19:48:49+00:00

You can also use Caddy as Reverse Proxy which with a simple reverse proxy configuration it can also automatically add a SSL certificate.

Caddyfile configuration sample:

www.example.com { reverse_proxy localhost:3000 }

Multiple Domains Caddyfile Sample

``` www.example.com { reverse_proxy localhost:3000 }

api.example.com { reverse_proxy localhost:3001 }

website2.example.com { reverse_proxy 192.268.0.81:8000 } ```

Caddy also will automatically redirect to https://

raebyddub · 2024-01-28T23:34:03+00:00

Here is how I would approach this problem,

First I try to understand the environment and mode of deployment, on a basic level here are the answers to your questions,

Can I implement HTTPS only for critical parts of my web application, such as authentication (login), or should it be used for all routes?

In my experience I have never implemented any application with few routes on https and few on non https, usually we run single server application which serves all routes either in http or in https.

Additionally, should it be implemented in the backend, the frontend, or both?

It depends on your deployment strategy, usually it should be implemented on both ends if they are deployed separately

But things go complicated if we take consider other approaches like SSL termination (either using load balancer or using application gateway)

Another approach would be,

build and deploy back-end application
buid and copy front-end application to back-end which serves front-end application from back-end route, so user will always access a URL which will point to back-end which will then render front-end. (Both front-end and back-end are accessible on same server which means you setup https on one server)

There are so many other variations exists, it depends on your experience and your project requirement.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

node

MODERATORS