1

I do not really have a big experience in production mode of nodejs & reactjs, and today i heard that i should do force ssl. i did some googling and as it seems

function requireHTTPS(req, res, next) {
   if (!req.secure && req.get('x-forwarded-proto') !== 'https' && process.env.NODE_ENV !== "development") {
      return res.redirect('https://' + req.get('host') + req.url);
   }
   next();
}
app.use(requireHTTPS);

this kind of code is used for expressjs to force ssl. (code from lavamantis)

then i did some researches about forcing ssl with reactjs, because using res.redirect with react is not thing that i heard before. and as it seems i should do following in package.json 

 "scripts": {
    "start": "set HTTPS=true&&react-scripts start",
    ...
 }

so what should i do when i am using reactjs with nodejs? i have not deployed single application of their combination but when i will i think i will use nginx

iLiA
  • 3,053
  • 4
  • 23
  • 45
  • Nginx has been specifically hardened enough security-wise to face Internet so using it as a reverse proxy for a NodeJS server like Express would be a good idea. In this capacity Nginx can and likely should terminate SSL traffic so that Express sees HTTP only. Note react-scripts use webpack-dev-server instead of Express as a webserver. webpack-dev-server, as its name suggests, should be used in development only. – winwiz1 Oct 12 '19 at 13:35
  • so any suggesions for moving to production mode? – iLiA Oct 12 '19 at 13:39
  • The suggestion is to use React with Express in production. If Typescript doesn't put you off then you might have a look at [Crisp React](https://github.com/winwiz1/crisp-react). I'm the author. And finally add Nginx when you deploy the production build of your solution. – winwiz1 Oct 12 '19 at 13:46
  • so i do not need to force ssl? – iLiA Oct 12 '19 at 13:57
  • SSL is a must for deployment over Internet. For Intranet it's a strong preference or a must, depends. You can do development and testing (but not all testing) without SSL. – winwiz1 Oct 12 '19 at 14:11
  • i am not willing to use ssl in development mode but i am talking about production – iLiA Oct 12 '19 at 14:24
  • You can force ssl entirely through your ngnix reverse proxy configuration in production. No special js code needed. – Tom Boutell Oct 12 '19 at 15:12
  • thank you all, @TomBoutell Can you specify how? – iLiA Oct 12 '19 at 15:25

1 Answers1

1

i am not willing to use ssl in development mode but i am talking about production

A simplified scenario looks like that:

  • You do your development in the development environment, for example on your laptop. You do not use SSL. You have some security-sensitive cookie but Express doesn't make it secure-only, otherwise the client (e.g. browser) with your React app won't be able to send it back to Express in order to prove the user has been already logged in.

  • You finished development and testing so you are now switching from development build of both React app and backend/Express code to the production build. You do not use SSL. You finished testing the production build.

  • You added Nginx and tested the React app can access Express using Nginx as reverse proxy. You do not use SSL.

  • You generate a self-signed SSL certificate and use it to switch Nginx to: (a) use SSL and (b) to terminate SSL traffic. The HTTP endpoint is not exposed anymore, Nginx doesn't accept HTTP connections anymore. Only HTTPS. You make the client/browser trust this self-generated certificate. You change the production build to generate secure-only cookie. You test the React app and it works with Express via Nginx.

  • You move from the dev environemt to the production environment e.g deploy your production build in the cloud or wherever. You replace the self-generated SSL certificate with a proper one issued by CA. Issued either for a fee or for free. You add a firewall supplied by the deployment environment provider. The firewall can optionally terminate SSL traffic instedd of Nginx.

winwiz1
  • 2,906
  • 11
  • 24