Node.js express-session what does the proxy option do?

8.8k views Asked by At
app.use(session(
  {
    ...
    proxy: true,
    resave: true,
    saveUninitialized: true
  }
));

I found a tutorial on express-session and they have an proxy: true option. Can I leave it on true? What does this do? Is it better to include it? I know what a proxy is however I don't really get why this is an option?

2

There are 2 answers

6
robertklep On BEST ANSWER

The fine manual states:

Trust the reverse proxy when setting secure cookies (via the "X-Forwarded-Proto" header).

This refers to situations where clients don't connect directly to your Node server, but through a reverse proxy. For instance, clients connect to an NGINX webserver, which forwards the requests to a Node server; NGINX, in this situation, is the reverse proxy.

In reverse proxy setups, it's also quite common that the client communicates with the reverse proxy over HTTPS, yet the proxy communicates with the Node server using plain HTTP.

This is an issue when you configure the session middleware to use so-called "secure cookies" (documented here). The session middleware won't allow these cookies being sent over plain HTTP but requires that they are sent over HTTPS. If your reverse proxy communicates with your Node server over HTTP, this would mean you won't be able to use secure cookies.

To solve this problem, the reverse proxy will set the X-Forwarded-Proto header to every request it forwards. It tells the Node server what the original protocol of the request was, regardless of the way the reverse proxy connects to the Node server.

With the proxy option of the session middleware, you're telling it to trust this header and allow secure cookies being sent over plain HTTP, provided that X-Forwarded-Proto is set to https.

If you are exposing your Node server directly (so clients connect to it), you should set this option to false, because otherwise, a client can fool your server (by sending a X-Forwarded-Proto header itself) into thinking that the connection was secure. However, if you're not using secure cookies anyway, it won't really matter.

0
apsillers On

If your app does not receive requests forwarded through a proxy, you do not need to worry about this option. Proxies are often used to route requests to one of several apps.

A proxy looks like this:

[Client] ==request==> [Proxy] ==forwarded request==> [Server]

Here, the server can't see the original request and relies of the proxy to truthfully relate each request.

From the express-session docs:

proxy
Trust the reverse proxy when setting secure cookies (via the "X-Forwarded-Proto" header).

The default value is undefined.

  • true The "X-Forwarded-Proto" header will be used.
  • false All headers are ignored and the connection is considered secure only if there is a direct TLS/SSL connection.
  • undefined Uses the "trust proxy" setting from express

Looking at the Stack overflow question What does "trust proxy" actually do in express.js, and do I need to use it? (which references "Express behind proxies"), we see that "trust proxy" means whether the app trusts its proxy to accurately report the source of a request. This impacts secure HTTPS-only cookies: it is necessary to trust the proxy that a request genuinely came from an HTTPS source.

[Client] ==HTTPS==> [Proxy] =="I'm forwarding an HTTPS request"==> [Server]

The server can't see the client. If the proxy is lying, and it's not really an HTTPS request from the client, the server shouldn't send secure cookies. Therefore, we can indicate whether we trust the server to truthfully report the HTTP/HTTPS status of forwarded requests.