I wrote a node.js app to deal with processing forms on a business's website. These forms can contain sensitive information so I knew it needed an SSL certificate. Since I didn't want to serve my node app from port 80, I used Apache to proxy it from port 3xxx to 80.
Then, I generated a cert from Let's Encrypt and I was able to access it from port 443.
My question: Is my nodejs app secure even though it is behind a proxy?
Security is a process, not a destination. There is not a "make my thing secure" switch that you can flip.
SSL/TLS is only one small part of the picture here. Yes, it's great to protect the connection between your clients and your server, but that doesn't do any good if there are vulnerabilities in your application. Speaking frankly, if there is a security issue, it is very likely that it will be with your code, not with any other parts of the system.
So - yes, you should be using TLS. That is the right thing to do. But, you also need to go through all of the other components involved to ensure they are secure as well.
