JavaScript, node.js and security

I have an user registration form on my website, and it just sends the data (username, password and email) to the ser开发者_开发问答ver in plain text using socket.io. I know that this is a really bad solution, so what do I use to hide the information? And can you explain how could someone get the information so I know what to avoid? I heard about jsAES, that encrypts the stuff, but how will both the client and the server know the key?

What you can do is use asymmetric cryptography in JavaScript: Include JavaScript encryption code (for example, RSA, not the symmetric AES) and a public key in your code. Upon submit, encrypt all inputs and send them to the server where they are decrypted with the private key. However, a skilled attacker can simply change that JavaScript or inject his own to circumvent this client-side encryption. Also, it requires JavaScript, which may disabled by security-conscious visitors.

Instead of rolling out your own solution, use HTTPS. Generate a key pair, get a certificate for it, and configure your server to serve HTTPS requests. Use HTTP Strict Transport Security to force HTTPS for all connections.