app.use(session(
{
...
proxy: true,
resave: true,
saveUninitialized: true
}
));
I found a tutorial on express-session and they have an proxy: true option. Can I leave it on true? What does this do? Is it better to include it? I know what a proxy is however I don't really get why this is an option?
The fine manual states:
This refers to situations where clients don't connect directly to your Node server, but through a reverse proxy. For instance, clients connect to an NGINX webserver, which forwards the requests to a Node server; NGINX, in this situation, is the reverse proxy.
In reverse proxy setups, it's also quite common that the client communicates with the reverse proxy over HTTPS, yet the proxy communicates with the Node server using plain HTTP.
This is an issue when you configure the session middleware to use so-called "secure cookies" (documented here). The session middleware won't allow these cookies being sent over plain HTTP but requires that they are sent over HTTPS. If your reverse proxy communicates with your Node server over HTTP, this would mean you won't be able to use secure cookies.
To solve this problem, the reverse proxy will set the
X-Forwarded-Proto
header to every request it forwards. It tells the Node server what the original protocol of the request was, regardless of the way the reverse proxy connects to the Node server.With the
proxy
option of the session middleware, you're telling it to trust this header and allow secure cookies being sent over plain HTTP, provided thatX-Forwarded-Proto
is set tohttps
.If you are exposing your Node server directly (so clients connect to it), you should set this option to
false
, because otherwise, a client can fool your server (by sending aX-Forwarded-Proto
header itself) into thinking that the connection was secure. However, if you're not using secure cookies anyway, it won't really matter.