Is it necessary to use HTTPS with express while HTTPS is already configured for my Elastic Beanstalk environment?

Question

I'd like to make sure any communications with my web app are secured.

It's the first web app I develop and I'm really new to this backend/infrastructure world so my question might sound a bit silly.

My app is written in Node.js and I use Express:

var express = require('express'),
    bodyParser = require('body-parser'),
    methodOverride = require('method-override'),
    errorHandler = require('errorhandler'),
    jsdom = require('jsdom'),
    http = require('http'),

...

var server = http.createServer(app).listen(app.get('port'), function () {
// Allow prompt in Node after launching
    repl = require("repl")
    repl.start("> ")
});

This app runs on a AWS's EC2 instance (don't know if the wording is correct) and any communication with the app is secured with HTTPS (I can do API calls to https://my.api.com/get/results, for instance).

Everything works really fine so far but I'm wondering if all of this is safe.

As you may have noticed, I am not using HTTPS with the express server:

http = require('http')

The thing is, as far as I understand, the express server still is "behind" a HTTPS secured portal in my case.

Better asking before releasing unsecured stuff..

Answer 1

If you have a reverse proxy that handles HTTPS for you then there is usually no need to use HTTPS in your Node application, especially if the network that those two communicate over is secure - like a loopback interface or an internal network in your data center. If the reverse proxy and your Node app communicate over the public Internet then you need to use HTTPS for that traffic as well.

See those answers for more info:

• reverse proxy using ngix and ssl implementation on express failed
• SSL With node / IIS
• How to run nodejs server over 443 ensuring nginx doesnt stop working
• Configuring HTTPS for Express and Nginx