Access localhost with self signed certificate over https using Ajax

Question

I am working on a NodeJS application which runs a server on https://localhost:port and uses a self signed certificate (as no vendor provides a certificate for localhost). I am using AJAX call from my website to hit the locahost and send data to the NodeJs app. My calls are getting blocked due to INSECURE_CONTENT which is expected. I want to know if we have any workarounds for this?

Answer 1

(see update below)

Workaround is to enable it on browser level. This should allow AJAX calls also.

For Chrome

1. Go to this url in chrome (chrome://flags/#allow-insecure-localhost)
2. 
3. Hit enable.
4. Then you have to relaunch your chrome browser so changes may affect.

For Firefox

1. Go to your localhost in firefox. It should show you warning.
2. Click Advanced
3. Click Add Exception...
4. New popup window will appear, click Get Certificate
5. Verify that checkbox says 'Permanently store this exception'

6. Click 'Confirm Security Exception'. Refer Image below.

   • 
   • 

UPDATE:

As per op's comment, updated answer is below:

(Reply to this comment) For this simple hack is to have a proxy route in your node app. Create route like http://localhost/proxy?yourwebsites_api/getData. In node server proxy route will get GET parameter from your url and hit your website server. And will return same response back. Like you do in c# with HttpWebRequest or HttpClient or in PHP with curl.

Answer 2

Add an entry for local.host 127.0.0.1 to your local hosts file to point the local.host domain to 127.0.0.1 ( on that machine only )
You can then create a self signed certificate for local.host, make sure to use this with your nodejs app, and and add it to the root certificate store on your machine, this will make the browser recognize the certificate.
You need the local.host entry because you need a well formated domain name for your self signed certificate.

You can create a self signed certificate like so:

openssl req -x509 -nodes -days 1000 -subj '/C=US/ST=CA/L=MV/CN=local.host'  -newkey rsa:2048 -keyout local.host.key -out local.host.crt

On osx the hosts file is located on /etc/hosts on windows it's at c:\windows\system32\drivers\etc\hosts

Here is how you can add your certificate to the root certificate store:

OSX:
https://pubs.vmware.com/flex-1/index.jsp?topic=%2Fcom.vmware.horizon.flex.admin.doc%2FGUID-9201A917-D476-40EF-B1F4-BBF14AB83D94.html

Windows:
http://www.thewindowsclub.com/manage-trusted-root-certificates-windows

Update:

Op pointed out by OP the app would be installed on a consumer desktop.

You could potentially generate a certificate for a myapp.mydomain.com, and point that to 127.0.0.1 after you require the certificate. This does not require you to add a certificate to to the root store. However, this will still require you to ship the private key with the app, which compromises the certificate for all users, it will also be painful to update the certificate. This is not a good solution.

You can generate a unique certificate during installation and install it in the root store. This also compromises the certificate, but only to the specific user. This reduces the attack vector, as the certificate it self is only supposed to protect the user, this is actually also how charlesproxy works.