JosetheJedi
commented
5 years ago Now that I have SSL encryption for the connection I don't think that I need to do client-side hashing for passwords.
I have done some research to find out if I should have client-side hashing for passwords before sending it to the server but most of what I have found said that I am able to send plaintext passwords to the server as long as I have that SSL enccyption.
"Ultimately though these benefits are minor, and add a lot of complexity - there's a real risk that you'll introduce a more serious vulnerability in your attempt to improve security."
I also referenced my notes from CECS 378 cyber security.
I improved the security of the website by adding SSL connection. First I had to get a domain name from Google and set it to point to the website that I am hosting on AWS. The domain is https://resilientsmartgarden.com.
Then I used Certbot to get a free SSL certificate for nginx and I registered my domain names with it. Then I added reverse proxy routes on the configuration file to get requests for port 80 and 443 to redirect it to port 3000 where the application is running. This took about 5 hours to get it running the right way.
I kept experiencing problems where only the port 80, http, was being redirected to port 3000. Now all traffic is redirected to port 3000 on a secure connection. If anyone where to try to request http, the server will force https.