In the previous lesson, we disabled http in favor of https. In this lesson, we'll learn that the default protocol for web browser is http, and we therefore need to provide an http endpoint that redirects the browser to https. We'll do that by setting up a small express application whose sole responsibility is to redirect http urls to https. In doing so, we'll accidentally reintroduce the transmission of our session id over http, which we'll need to fix in our next lesson.
Thanks for sharing, but how would you setup production to work with SSL?
The answer to that depends on a lot on your specific configuration, especially who you use as a hosting provider. Lots of services now offer "let's encrypt" integration by default.
Here's a guide from letsencrypt that should point you in the right direction: https://letsencrypt.org/getting-started/