Security in Node.JS Webserver Security in Node.JS Webserver javascript javascript

Security in Node.JS Webserver


I agree with anm and schaermu about using a reverse proxy so that your application is not directly accessed by your visitors, even if that really has more to do with stability than security.

I want to add that you also have to think about safely installing the Node itself and its modules. In particular, never install npm using this method:

curl http://npmjs.org/install.sh | sudo sh

This is basically giving root shell to anything that you get from the network using insecure HTTP with no verification at all, not even knowing who are you talking to. This can lead to a serious compromise of your entire system using very basic and widely known methods, and if your system is compromised then it doesn't matter if your application is behind a reverse proxy, firewall or anything. See this answer for a more comprehensive explanation.


The reason why there are years and years of professional teams building security into Apache / IIS is because those are all encompassing servers. They can have all types of services on by default running version X of software that needs to be patched when some hole is found, etc.

One of the great things I find about Node.JS is that you tell it what you want to run on the OS level for your specific application. No middle man layer if you don't want it. All I have to worry about if I host it on a server I administer is OS level ports and the web application code. No Apache config files, module updates, etc.

So when it comes to security in Node.JS worry about scrubbing outside information before acting on it, verify identity on potentially harmful actions, etc. Be as closed as possible. Use SFTP to transfer your files to the remote hosting server and just have the necessary ports open for your web application to function properly.


Try using Nginx as your frontend-webserver to improve both stability and security. Check google for some resources for that topic.