The most important thing that you can do to help secure your Express web application for users is to encrypt content between your user's browser and your web server. Generating an SSL certificate to enable secure HTTPS communications between your Express web server and frontend application can be easy, but the nature generating and utilizing SSL certificates can be quite complicated.

For the sake of simplicity, we will generate a simple, unprotected, generic SSL certificate using openssl to help explain how to configure a SSL certificate in Express:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes

When you have correctly run the openssl certificate generator, you will have /key.pem and /cert.pem files in the root of your my-express-project.

These will work for learning purposes, but for a production website, you will need to acquire a certificate that is verifiable with a certificate authority, or else your browser will show the certificate as invalid to your users. SSL certificates can be purchased from many certificate authorities online for very little money, and are sometimes bundled with web hosting packages from various web hosting providers.

To further secure our application, we will also install an npm module called Helmet:

npm install --save helmet

Helmet is a collection of Express middleware designed to prevent abuse of various HTTP header configurations to exploit an Express application.