1. Redirecting to HTTPS

   In the admin panel I activated Modulus' redirection feature so that any http requests will be redirected.
   

   Since Modulus has a proxy that does SSL termination my app can still require(http). The https module is not needed.

2. Getting my own SSL certificate

   After the first step I couldn't access my domain morningfa.me without a security violation in the browser anymore. I had to buy a SSL certificate for the domain "www.morningfa.me". This is automatically also valid for "morningfa.me".

   Modulus has a great guide on how to buy and install the certificate. After following those steps my configuration looked like this:

   

   BTW, I pasted the same private key and certificate for both entries in the custom SSL section. To test if everything is properly configured I used Symantec's tester which actually helps you to fix problems and afterwards I used Qualys SLL Labs for a more advanced look.

3. Redirecting WWW to non-WWW

   I prefer to use "morningfa.me" instead of "www.morningfa.me" so I needed a redirection mechanism. The other way around would be easy but this is actually a little tough due to limitations of the DNS entries.

   I configured two DNS A-record entries in my domain settings. I registered my domain with Bluehost where these entries look like this:

   

   Depending on where you bought your domain your configuration may look a little different. Anyway, the IPs you need to use are listed here.

   At this point both "morningfa.me" and "www.morningfa.me" are forwarded to the Modulus servers and don't show security violations in the browser anymore. To finally redirect www to non-www URLs I added a small Express middleware:

   app.use(function (req, res, next) {
       if (req.headers.host.match(/^www\./i)) {
           res.redirect(301,
               'https://' + req.headers.host.substr(4) + req.url
           );
       } else {
           return next();
       }
   });
   

4. Securing the Session Cookie

   I use Express-Session that sends a cookie to the browser. Since I am only using HTTPS I can improve the security by marking the cookie as secure. This way the browser will only send the cookie over the wire when a secure connection is made.

The session parameters needed to use a secure cookie on Modulus are the following:

``` js
app.use(session({
// ...
cookie: {
// ...
secure: true
},
proxy: true
}));

That's it. Hope it helps. And if you got stuck somewhere let me know in the comments and I will fill in the blanks.

*, *:before, *:after {
    box-sizing: border-box;
}

Today I stumbled upon the fact that many still kinda recent browser versions need prefixing for that. What I want is:

*, *:before, *:after {
    -webkit-box-sizing: border-box;
       -moz-box-sizing: border-box;
            box-sizing: border-box;
}

I am using the autoprefixer of PostCSS to help me out. However, the default configuration does only consider the last few versions of any evergreen browser – which is usually the case for other autoprefixers as well. Thus the prefixes shown above don't get added.

To configure the autoprefixer appropriately I started from IE9's release date in 2011. I took each browser that can be configured with Browserlist and added the version that was also released around the same time.

In the end I got:

autoprefixer({ browsers: [
    'Android >= 2.3',
    'BlackBerry >= 7',
    'Chrome >= 9',
    'Firefox >= 4',
    'Explorer >= 9',
    'iOS >= 5',
    'Opera >= 11',
    'Safari >= 5',
    'OperaMobile >= 11',
    'OperaMini >= 6',
    'ChromeAndroid >= 9',
    'FirefoxAndroid >= 4',
    'ExplorerMobile >= 9'
]})

Maybe it is a bit too much to support even evergreen browsers back to 2011. Nonetheless it certainly is better than the autoprefixer's default.

What about you? Which configuration do you prefer in your "IE9 and up" projects?

Update: The release is out. You may now also use https://iojs.org/dist/latest/ in step 1 and then continue the same way.

1. Download the latest io.js nightly from https://iojs.org/download/nightly/ (Take those with "linux" or "darwin" in their name. They contain the prebuilt binaries.)
2. Extract the archive to let's say ~/iojs/
3. cd to the folder of your existing node.js project (preferably a copy of it)
4. Check with python --version that it points to version 2.6 or 2.7
5. Run ~/iojs/bin/npm rebuild to recompile packages with native code
6. Start your app with ~/iojs/bin/iojs <your main js file>
7. If everything works fine you have earned the badge! ![io.js supported](https://img.shields.io/badge/io.js-supported-green.svg?style=flat)

Let me know in the comments if you stumble upon some issues and I will update the steps accordingly.