Answer B: NGINX should forward port 443 to localhost:5001 and the application should have a self-signed certificate registered to "localhost" to enable encryption between NGINX and the application.