1

I do not really have a big experience in production mode of nodejs & reactjs, and today i heard that i should do force ssl. i did some googling and as it seems

function requireHTTPS(req, res, next) {
   if (!req.secure && req.get('x-forwarded-proto') !== 'https' && process.env.NODE_ENV !== "development") {
      return res.redirect('https://' + req.get('host') + req.url);
   }
   next();
}
app.use(requireHTTPS);

this kind of code is used for expressjs to force ssl. (code from lavamantis)

then i did some researches about forcing ssl with reactjs, because using res.redirect with react is not thing that i heard before. and as it seems i should do following in package.json 

 "scripts": {
    "start": "set HTTPS=true&&react-scripts start",
    ...
 }

so what should i do when i am using reactjs with nodejs? i have not deployed single application of their combination but when i will i think i will use nginx

Improve this question
8
  • Nginx has been specifically hardened enough security-wise to face Internet so using it as a reverse proxy for a NodeJS server like Express would be a good idea. In this capacity Nginx can and likely should terminate SSL traffic so that Express sees HTTP only. Note react-scripts use webpack-dev-server instead of Express as a webserver. webpack-dev-server, as its name suggests, should be used in development only. Commented Oct 12, 2019 at 13:35
  • so any suggesions for moving to production mode? Commented Oct 12, 2019 at 13:39
  • The suggestion is to use React with Express in production. If Typescript doesn't put you off then you might have a look at Crisp React. I'm the author. And finally add Nginx when you deploy the production build of your solution. Commented Oct 12, 2019 at 13:46
  • so i do not need to force ssl? Commented Oct 12, 2019 at 13:57
  • SSL is a must for deployment over Internet. For Intranet it's a strong preference or a must, depends. You can do development and testing (but not all testing) without SSL. Commented Oct 12, 2019 at 14:11

1 Answer 1

Reset to default
1

i am not willing to use ssl in development mode but i am talking about production

A simplified scenario looks like that:

  • You do your development in the development environment, for example on your laptop. You do not use SSL. You have some security-sensitive cookie but Express doesn't make it secure-only, otherwise the client (e.g. browser) with your React app won't be able to send it back to Express in order to prove the user has been already logged in.

  • You finished development and testing so you are now switching from development build of both React app and backend/Express code to the production build. You do not use SSL. You finished testing the production build.

  • You added Nginx and tested the React app can access Express using Nginx as reverse proxy. You do not use SSL.

  • You generate a self-signed SSL certificate and use it to switch Nginx to: (a) use SSL and (b) to terminate SSL traffic. The HTTP endpoint is not exposed anymore, Nginx doesn't accept HTTP connections anymore. Only HTTPS. You make the client/browser trust this self-generated certificate. You change the production build to generate secure-only cookie. You test the React app and it works with Express via Nginx.

  • You move from the dev environemt to the production environment e.g deploy your production build in the cloud or wherever. You replace the self-generated SSL certificate with a proper one issued by CA. Issued either for a fee or for free. You add a firewall supplied by the deployment environment provider. The firewall can optionally terminate SSL traffic instedd of Nginx.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

this seems a little bit complicated but i think i will understand

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.