Securing your services with HTTPS
Intro
It is becoming standard to secure services using HTTPS and setting it up in node is a no-brainer. This post will give you some background and the instructions to set the your own secure server.
Background
HTTPS adds a layer of security using SSL over the standard HTTP protocol. It is the current standard way to secure communications in the internet. Encrypting communications between clients and the server to avoid man in the middle attacks.
Create your certificate
SSL protected connections need a certificate and a key. If you want to avoid browser warnings when using your services, you will need to sign them with a trusted certificate authority (this implies money, so in this tutorial we will sign them ourselves)
- Create the certificate
openssl genrsa -aes128 -out certificate.crt 1024 - Generate certificate sign request
openssl req -new -key certificate.crt -out certificate-request.csr - Sign our certificate and generate key
openssl x509 -req -in certificate-request.csr -signkey certificate.crt -out certificate.key
Use your certificate
Lets use our fresh certificates in node, loading the files and loading the native https library will be enough.
var https = require("https"),
fs = require("fs"),
certificate = fs.readFileSync("certificate.crt"),
certificateKey = fs.readFileSync("certificate.key");
https.createServer(
{ cert: certificate, key: certificateKey },
function (req, res) {
res.writeHead(200, {'Content-Type': 'text/plain'});
res.send("secure world");
}
).listen(1337);
The certificates can be used with common node libraries like express.js or restify in a very similar way.
Conclusion
This post doesn’t imply that HTTPS achieves hack-proof communications with your clients. It does increase the sophistication of the attacks needed to compromise your communications which reduces the number of possible attackers and therefore drastically increases the security of your services.
Great resources
-
cloisblog reblogged this from eliocapella
-
eliocapella posted this
