1

I'm running a simple NodeJS REST API and a ReactJS frontend application and I want them to communicate in a secure way over TSL. I've successfully issued a certificate (DNS challenge) from Let's Encrypt and I'm currently using it for my IIS site where the React application is running.

I now want to use this certificate in order to make communication between my frontend and backend (more) secure.

Both the clients where the frontend will be accessed from and the server where the backend is running are in the same LAN and not publicly accessible. The only thing I want to ensure is that the data is somehow securely transferred from the clients to the server. (You shouldn't be able to see the password and username just by pressing F12 in your browser, neither should a Man-in-the-Middle be able to do so)

I'm pretty much a beginner when it comes to network security/securing communication between client and server.

Pascal
  • 11
  • 2
  • Hello and welcome to Information Security. I highly recommend you to read "[How does SSL/TLS work?](https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work)" if you haven't done so already. It explains the basics of TLS, what it does (and doesn't do) for your application. –  Apr 07 '20 at 10:53

1 Answers1

1

This looks more complex on the surface than it actually is. What you basically want to do, is secure communication between a web client and a web server over TLS. It doesn't matter which web technology is in use, because TLS happens on the transport layer and not on the application layer.

What happens under the hood? When a client wants to use your application, it requests the JavaScript files from your IIS and executes them in the local browser. Whenever the clients need information from the backend, your NodeJS REST API, it sends a HTTP request the the respective API.

This means, all you need to do, is:

  1. Enable TLS on your API backend
  2. Change all the URLs in the application to HTTPS

This ensures that all requests from the client to the backend are encrypted with TLS. How to set up HTTPS depends on the server you use to run the NodeJS REST API.

Demento
  • 7,339
  • 5
  • 37
  • 46
  • Thank you for your answer! I have now activated TLS in my IIS for the page so I can access it with a vaild certificate and https in my browser. In order to make my backend use the certificate, I need to read some .pem files of the issued by Let's Encrypt. Do you know where I can find them on my server? – Pascal Apr 07 '20 at 13:37
  • Let's Encrypt is a CA, they do not run code on your computer and do not write pem files there. Read the documentation for the ACME client that you use, which contacts Let's Encrypt to get certificates. Don't forget to ensure automatic renewal works and that the new cert file is loaded by the web server when the file is replaced on disk. Also, all of this is not really "Information Security". "How do I use this piece of software?" and "How do I program X?" are on different sites. – Z.T. Apr 07 '20 at 14:47