Thank you for your insights about how you secure a node.js app.

We have used this method in the very beginning as well. But I would add to the article to look into a local reverse proxy with self-signed certificates in the long run.

This will have a similar effect but is more flexible for multiple projects and more suited for escalated environments later because you don't need to modify your code.

Here is why:
In production, the app itself will have a good chance to run in an isolated and replicated environment like an orchestrated cluster.

Having centralized staging or development environments will require trusted certificates anyway. This means, that as soon as your code goes into another environment, the setup changes to a proxied version most likely.

If you need SSL in development, look into NGINX and self-signed certificates or similar solutions.

This refers to the OSI layer, where I would recommend having the SSL part, not in the application layer itself.

This approach simulates the real environment just better.

Regarding "security":
Please make sure you avoid keeping sensible, protection-worthy data, in your development environment. A secure connection locally does not prevent you from harm here.

I would highly recommend adding this kind of notice because it might be a false sense of security for a newcomer.

Everything on your local development machine should not be sensitive. Speaking of database connections to productive systems or access tokens to other productive services alike.

This kind of dangerous information might only appear in their respective environments.