NodeJS deployment and security with HTTPS

Question

I am working on a NodeJS API and I got some questions about deploying it..

Let's say I got a HTTP server like this from the w3 schools example:

var http = require('http');
http.createServer(function (req, res) {
  res.writeHead(200, {'Content-Type': 'text/plain'});
  res.write('Hello World!');
  res.end();
}).listen(8080);

Q1 I can for example switch http to https and load in some local self-signed certificate. But what is the point of that? Since it's self-signed the cert is invalid for most browsers.

Q2 Can't I just put it on a server, run it with for example PM2, and secure the domain which the API is attached to with HTTPS?

Q3 Do I really need to use the NodeJS https library to make a secure API?

I'm kinda new to cybersecurity and deployment so I'm worried I might miss some crucial parts, please enlighten me.

Answer 1

Self-signed certificates are useful in controlled environments, but less so when your audience is the general public. Get a certificate from a recognised third-party.

If your website is served over HTTPS, but your web service is not, then you have a huge security risk. All the data being requested and sent to the web service won't be encrypted. What's more, browsers may refuse to pull in data from an insecure origin to a website that they loaded using HTTPS.

PM2 has no built-in capability to add HTTPS to a site.

You don't need to use the https module. In most cases, it is quite sufficient to run a reverse proxy which handles the encryption. The browser will make a request using HTTPS to the reverse proxy, which will forward the request using plain HTTP.

You protect the Node.js application from interception by making sure there is no unencrypted network traffic between the reverse proxy and the Node.js application. Typically this is done by running them on the same computer.

The PM2 documentation covers using a reverse proxy for SSL.