Best practice to secure request payload between client / server during post request transmission node/express js

Question

Narrowing down from a broad topic, i have a specific question (maybe a little bit 'tin-foil hat').

This question is regarding the best practices of securing data transmitted in a post request between the client and server. The background is a web app I'm developing to learn more about node and express js.

Although the example i'm using is for login credentials it really could be about any information being transmitted in a post request from a form submit to an express server.

example: client submits form data through a button click event on the client. I'm using vue for the front end, but this is a generic question. On the client page i'm also using (inside an async function):

const resp = await axios.post("http://someurl.com/login", {client:email, pw:pw});

in chrome developer tools on the network tab i can see the request payload. In the example it looks like:

{client:"some email address", pw:"some password"}

Would it be better to transmit the payload already encrypted / encoded? Then have it decrypted / de-encoded on the server? For transmitting sensitive information, is it better to use a signed cookie?

The plan, should i ever get through all of this is to use let'sEncrypt for HTTPS.

Is it reasonable to only rely on HTTPS for protecting this type of payload?

For reference, on the express server, password gets hashed and compared with a hashed version from a database. I've read about Helmet, and csurf and intend to use them in the final product as well. There's a lot of great information in this answer. Which is incredibly awesome and talks about the importance of HTTPS over HTTP.

Any additional references / thoughts / practical considerations are appreciated.

Answer 1

Using HTTPS will encrypt your payload between your client and the server. Any javascript handling on the front end can be circumvented by users with enough knowledge so all frontend is mainly there for is to facilitate a better user experience. Password confirmation checking, correct fields filled out etc.

Your main source of security will be your eventual LetsEncrypt HTTPS certificate and your hashing and salting applied at the server end. As you correctly surmised HTTP send passwords in clear text which is bad. As a warning though even HTTPS can be defeated if somebody wants it bad enough with a number of techniques to high jack Certificate Authorities (I believe Root CAs should be offline anyway) or modify trusted certificates on a users PC.

Although it does depend on the amount of effort required by the hacker vs potential return hence the more you are trying to protect the greater the security required before it becomes not worth the effort for any potential hacker to attempt to circumvent the security of a particular site. (Reputation hacks aside of course)

Hope this helps.