Is a PostAsync request to an expressjs server safe & secure?

Okay, this might sound like a stupid question to you experienced web developers and scripters etc…

My question is Is a PostAsync request to an expressjs server safe & secure, to elaborate more on this question let me present a scenario.

Let’s say I have a roblox game that sends a HTTP request to a expressjs server with a “Authorization” header to the server.

• Could a hacker possibly fish the Authorization header that’s being transferred somehow?
• If yes to the previous question, then how can I defend against it?

The reason why I’m asking my question is I heard that the HTTP protocol is very un-secure.

Examples of what I’m talking about:

• Post Request Code:

app.post('/testingExample', async (req, res) => {
    if (req.headers && req.headers["authorization"] && req.headers["authorization"] === "test") {
        return res.send({success: true})
    }

    res.send({success: false})
})

• Roblox Server Code:

local response = game:GetService("HttpService"):PostAsync("http://example.com/testingExample", "", Enum.HttpContentType.ApplicationJson, {
       authorization = "test"
})

print(response) -- {success = true}

Please read through the whole post before answering, and thanks.

Roblox’s HTTP service supports the HTTPS protocol, and it is recommended to use it. It is clearly stated in the documentation. HTTP is indeed unsecure because it has no encryption. HTTPS is secure because it uses encryption. I am also not sure where you got this information from, but if you just heard it somewhere, then that is pretty wrong. The only way for someone to actually “see” the data is with a “man in the middle attack.” That means that someone is imitating the end destination of the traffic and trying to read it. It is very unlikely that would ever happen. It’s not like people have access to huge data centers around the world. There is also no reason someone would be trying to pickup your signal from an antenna in a field or something.
Again, HTTP is unsecure and should be avoided because of these reasons. HTTPS turns plain text into encrypted data, which cannot be decoded if someone sees the traffic.
From the HTTP service documentation:

Not a specialist, but have worked with Networking and self-hosting a server in my own house. Networking is quite a complex topic, but with some real practice you will learn it pretty quickly. There are a lot of best practices to follow, but since you only ask about HTTP/HTTPS I won’t go into detail. Just be sure you don’t make yourself vurnerable, people on Roblox would do anything to even DDoS an actual Roblox server. More on that topic here. Even with some kind of “rate limitation” you implement on the game itself people can still track the URL and send junk requests to overload your server, using stuff like nginx can help you counter those by creating custom rulesets of how traffic is routed.

Gosh, I’m so dumb I was mistaken about HTTPS supported because whenever I used the HTTPS protocol in the studio’s command line it said something about using “http”; gosh.

Thank you so much for the detailed reply so much man!

No problems, stay safe out there and never give up on security. You should always have it as your first priority when building an app. Happy coding and good luck to whatever you are making.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.