Node.js on Elastic beanstalk requests are HTTPS but express is served as HTTP. Is this secure?

Question

I have node express project that is hosted on AWS elastic beanstalk. My requests are HTTPS when i check the network tab in my dev tools. However my node express app's code is served in HTTP. Do I need to change the "http" module to "https"? If I do then wont I have to provide some key somewhere from AWS?

const http = require('http');
const app = require('./app');

const normalizePort = val => {
  var port = parseInt(val, 10);

  if (isNaN(port)) {
    // named pipe
    return val;
  }

  if (port >= 0) {
    // port number
    return port;
  }

  return false;
};


const onListening = () => {
  const addr = server.address();
  const bind = typeof addr === "string" ? "pipe " + addr : "port " + port;
  //debug("Listening on " + bind);
};

const port = normalizePort(process.env.PORT || "8081");
app.set("port", port);

const server = http.createServer(app);
server.on("error", onError);
server.on("listening", onListening);
server.listen(port);

Answer 1

You don't have to change it to HTTPS .

When you use AWS EB , you get the load balancer(ELB) with the certificate + nginx on each machine used to reverse proxy to your app .

AWS help you secure the connection up to the load balancer for free .

it's up to you if you want to add an extra layer of security.

for most use cases , unless you really deal with very sensitive data (medical, industry) the first layer is good enough and will keep all connection to the ELB secured and untouched .

If you do want to add the extra layer of security , you can create a certificate with "let's encrypt" , save the keys on your machine , and start the server with https and configure the keys .

take a look at: https://www.sitepoint.com/how-to-use-ssltls-with-node-js/

it's using certbot (Let's encrypt cli ...)