Flood doesn't do this.
Generate an SSL with something like pem.
After thinking about this some more, I don't think this is such a good idea. Self signed certificates don't provide any substantial security, and will likely cause off-putting errors in the browser. Instead, the procedure should be documented for the users who want the extra security.
@SanPilot they provide transport layer security.
They implicitly have no authentication; so you could be dealing with an attacker.
It might prevent passive eavesdropping, but not any active MITM.
Implementing LetsEncrypt with it's Express middleware for a proper SSL certificate would be a better idea imo 馃憤
Generating a LetsEncrypt cert should not be default because it's useless to generate it if it won't be used. Let people choose this.
Let people generate their own certs the way they see fit. Perhaps simply cover that by more detailed docs. Anybody can use letsencrypt, especially in certonly standalone mode. It's a single command thing. Again, you're trying to re-invent something already working very well.
Add better tutorial and let people handle little stuff themselves.
Anyone who wants to secure this application can do so with a reverse proxy outside of the application layer. Here's a guide. I think this should be left up to the user.
I also made 2 guide:
The two guides handle the configuration of the reverse proxy with nginx and are using quite secure configs. I didn't make one for flood but that's nearly the same.
Most helpful comment
Anyone who wants to secure this application can do so with a reverse proxy outside of the application layer. Here's a guide. I think this should be left up to the user.