NodeJS + Express using fetch(): How to bypass "Your connection is not private" in Javascript?

Question

Currently I have a NodeJS + ExpressJS client-side server set up and it makes API calls to the back-end server. But whenever I do, I first would have to go directly to the URL of the API back-end server and view the following page, and go to Advanced -> Proceed to https://backendserver.com:8080 (Unsafe), in order to be able to make the API call without any error.

Is there a way to always allow it to Proceed to https://backendserver.com:8080 without having to manually do it via browser?

Here is how I make the API call with fetch():

  loggingIn(userInfo) {

    var userInfoBody = {
        'username': `${userInfo.username}`,
        'password': `${userInfo.password}`
    }

    var configuration = {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json'
      },
      body: JSON.stringify(userInfoBody)
    }

    return function(dispatch) {
      fetch('https://backendserver.com:8080/creds', configuration)
      .then(response => response.json())
      .then(response => {
        console.log('Success and response is', response)
      })
      .catch((error) => {
        console.log("Error: ", error)
      })
    }

And my NodeJS + Express is set up like so:

var express = require('express');
var cors = require('cors');
var path = require('path');
var config = require('../webpack.config.js');
var webpack = require('webpack');
var webpackDevMiddleware = require('webpack-dev-middleware');
var webpackHotMiddleware = require('webpack-hot-middleware');
var app = express();
var compiler = webpack(config);

app.use(cors());

app.use(webpackDevMiddleware(compiler, {noInfo: true, publicPath: config.output.publicPath}));

app.use(webpackHotMiddleware(compiler));

app.use(express.static('./dist'));

app.use('/', function (req, res) {
  res.header("Access-Control-Allow-Origin", "*");
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
  res.sendFile(path.resolve('client/index.html'))
})

var port = 3000;

app.listen(port, function(error) {
  if (error) throw error;
  console.log("Listening to ", port);
})

Add your self-signed certificate to the trusted store (see [this answer](http://stackoverflow.com/a/25723728/1625448)) or generate a valid one using [letsencrypt](https://letsencrypt.org). — mallendeo, Oct 12 '16 at 01:33
@JaromandaX Sorry but does that need to be implemented by the front-end? Because I have no access to the back-end, and I am trying to figure out how to bypass it via code implementation so every user of the application don't have to manually bypass it. — , Oct 12 '16 at 01:46
@mallendeo Is there a way to do it via code implementation? Because, several users would be using the application on different computers, and would not want every user to manually bypass it. Would like to code implement, so that it would bypass it automatically by any users on different computers. — , Oct 12 '16 at 01:48
you want to bypass security in a browser - if it's just for yourself, then it's simple, add an exception to the accepted certificates by your browser - if it's for others, then they'll need to do the same (good luck with that) — Jaromanda X, Oct 12 '16 at 01:48
@JaromandaX So my question is, is there a way to implement in code to allow other users to do the same, including myself? Or does it all have to be done manually no matter what? — , Oct 12 '16 at 01:50
yes, it has to be done manually, but depending on the nature of the certificate error, you should only have to do it ONCE, in eachbrowser — Jaromanda X, Oct 12 '16 at 01:51
@LyManeug [use express with https](http://stackoverflow.com/questions/11744975/enabling-https-on-express-js) and [create a trusted certificate](https://certbot.eff.org/#ubuntuxenial-other) (if you're using Ubuntu). Are you using a web server like nginx? or just express? — mallendeo, Oct 12 '16 at 01:58
@JaromandaX So there is absolutely no way to bypass it in code unless you manually do it? — , Oct 12 '16 at 01:59
@mallendeo I am currently just using Node.js and Express.js for the client-side server. Could you possibly show how I can implement the https using express with the suggestion you provided? So that I can accept the answer and upvote as well if it is good to go. — , Oct 12 '16 at 02:01
@LyManeug - as far as I know, security in browsers is not bypassable by a webpage - otherwise the browser is as secure as a shy person in a nudist camp — Jaromanda X, Oct 12 '16 at 02:04
@LyManeug the links are already there. First you need to install letsencrypt `sudo apt-get install letsencrypt `, **stop** your node server, and create the certificates `letsencrypt certonly --standalone -d backendserver.com`. Then you need to point in your code to the right cert's path `/etc/letsencrypt/live/backendserver.com/`. Btw a little Google search doesn't hurt anybody. — mallendeo, Oct 12 '16 at 02:08

score 3 · Answer 1 · answered Oct 12 '16 at 01:38

3

There's generally only one proper solution here: use a server certificate that is trusted by the browser.

If you have a public server, you will need to get a certificate from a trusted certificate authority. For this, Let's Encrypt is a great (and free) service, and letsencrypt-express integrates this nicely with Express.

If you have a private server (like a development or testing server, or a server used only by a few browsers), you can just use a self-signed certificate and add this as a trusted certificate in your browser or operating system.

answered Oct 12 '16 at 01:38

Frxstrem

38,761
9
79
119

Sorry before I accept the answer and upvote, I have several questions. I'm new to this whole security field so please excuse me if I'm not properly using my terms. When you are referring to the private server, are you talking about the back-end API server that I am making the API request to? Also, this application will be used by several users, so would every user have to add the trusted certificate to their own browser manually? If so is there a way to implement as code where it would do the same and bypass that `Your connection is not private`, so that every user doesn't have to? – Oct 12 '16 at 01:44
@LyManeug By "private" I mean "only used by a few clients". But if your application is going to be used by a lot of people, you will have to get a certificate from a certificate authority, and set up your server with that certificate instead of what I assume is a self-signed certificate that you're using now. – Frxstrem Oct 12 '16 at 01:52
@LyManeug Essentially, to make the connection private, you to make the browser trust your server certificate. If you get a certificate from a certificate authority, the browser knows that they trust the certificate authority, and the certificate authority trusts you, so the browser will trust your server. – Frxstrem Oct 12 '16 at 01:54
This is all internal use for several users and for testing purposes. So how can I make the browser trust my server certificate and can I do it with code rather than manually? And by 'my server', you mean the client-side server, correct? – Oct 12 '16 at 02:03
@LyManeug You cannot automate this, since that would defeat the entire purpose of trust here. (If you could take an untrusted server and *automatically* make it trusted, that's not a secure system). But you will typically find a list of SSL certificates in your browsers settings where you can add it (instructions for [Chrome](http://stackoverflow.com/a/15076602) and [Firefox](https://support.mozilla.org/en-US/questions/1059377)). And by "server" I mean the server you are connecting to (your API server). – Frxstrem Oct 12 '16 at 02:18
I looked around and it is telling me to import the certificate onto my browser. Does that mean it is a self-signed certificate? – Oct 12 '16 at 05:57

NodeJS + Express using fetch(): How to bypass "Your connection is not private" in Javascript?

1 Answers1