Don't forget..
- You must add the
secure: trueoption for both setting cookies and tokens to use HTTPS!
History
HTTPS refers to the HTTP protocol plus data encryption using SSL/TLS. Netscape originally invented the now deprecated SSL (Secure Socket Layer) protocol in the mid 90's for secured encryption on the web. Netscape handed over the control of the protocol to the Internet Engineering Task Force (IETF), which then released TLS (Transport Layer Security), which is basically just an upgraded version of SSL maintained by the IETF.
How It Works
When a web server is configured to use SSL/TLS encryption, it encrypts messages to the client using the public key of the client. The process of encrypting messages to the client involves several steps:
- The web server sends its SSL/TLS certificate to the client, which includes the server's public key.
- The server gets its digital certificate issued by a Certificate Authority (CA) (more than 100+ CAs around the globe) by generating and sending a certificate signing request (CSR) to the CA, which includes its public key and information about the web server (e.g. domain name, location.) The CA then verifies the CSR information then issues the certificate to the server. The certificate - which includes the server's public key and information - is encrypted with the CA's private key.
- The client's browser verifies the certificate to ensure that it was issued by a trusted Certificate Authority (CA) and that the domain name on the certificate matches the domain name of the website that the client is trying to connect to.
- Once the certificate is verified, the client's browser generates a unique symmetric encryption key that will be used to encrypt data that is sent between the server and the client.
- The client's browser encrypts the symmetric encryption key using the server's public key, and sends it to the server.
- The web server uses its private key to decrypt the symmetric encryption key that was sent by the client's browser.
- The server and client then use the symmetric encryption key to encrypt and decrypt messages that are sent between them. This allows all data that is sent between the server and the client, including sensitive information such as passwords and credit card numbers, to be securely encrypted and protected from unauthorized access and interception by attackers.
Symmetric vs Asymmetric Keys
Symmetric keys perform more than 200 times faster than asymmetric keys but they are not as secure. Which is why asymmetric keys are used to securely transport the generated symmetric keys from the client to server. This establishes a secure connection between the server and client, since now both sides and encrypt and decrypt messages using the same symmetric key.
The Anatomy of a Digital Certificate
How to create a certificate
- install mkcert from terminal:
brew install mkcert - generate local CA in server directory:
mkcert -install - get a certificate issued by the CA
mkcert -key-file key.pem -cert-file cert.pem example.com *.example.commkcert -key-file key.pem -cert-file cert.pem localhost 127.0.0.1 ::1
this CA is usable from localhost, 127.0.01 (IPv4), ::1(IPv6)
Create a HTTPS server with Node.js
const https = require('https');
const fs = require('fs');
https
.createServer(
{
key: fs.readFileSync(__dirname + '/key.pem', 'utf-8'),
cert: fs.readFileSync(__dirname + '/cert.pem', 'utf-8'),
},
function (req, res) {
res.write('Congrats! You made https server now :)');
res.end();
}
)
.listen(3001);Create a HTTPS server with Express
const https = require('https');
const fs = require('fs');
const express = require('express');
const app = express();
https
.createServer(
{
key: fs.readFileSync(__dirname + '/key.pem', 'utf-8'),
cert: fs.readFileSync(__dirname + '/cert.pem', 'utf-8'),
},
app.use('/', (req, res) => {
res.send('Congrats! You made https server now :)');
})
)
.listen(3001);References
The differences between HTTPS, SSL, and TLS: A visual guide
(Advanced) ngrok: Easily share your local server (Local Tunneling)
