~ 2 min read

💚 3 Valentine’s Poems for a Beloved & Secure Node.js App

share this story on
Dedicated to everyone whom are helpless romantics as I am, and hopelessly in-love with their Node.js apps.

Dedicated to everyone whom are helpless romantics as I am, and hopelessly in-love with their Node.js apps.

In a Relationship You Respect a Spouse’s Privileges!

Roses are red,

Violets are blue,

Never run node with su__

If you’re brain didn’t auto-complete that — You never want to run the Node.js process, or an npm install with a superuser privileges, such as the common mistake:

# don’t do this!
sudo node index.js

It Is Important To Listen

Roses are red,

Violets are blue,

Never write a regex, or you’ll DoS your task que__

If you’re brain didn’t auto-complete that — You want to avoid as much as you possible writing any custom regex code on a JavaScript app (browser or Node.js), due to the fact that regular expressions require compute cycles and it is easy to write a bad regex that can lead to denial of service by blocking the event loop.

Instead, use a common validation library such as one from below, or run your regex through safe-regex to validate the pattern.

npm install validator joi safe-regex

Secrets Should Remain Secret

Roses are red,

Violets are blue,

Committing secrets to git? Shame on you!

Plain-text secrets in your source code is bad, and worse when they get pushed to a repository, public or private. One workaround is to encrypt them at rest in source code but that’s not very manageable and has a lot of downsides, a better one is using a service over secure wire to access them. Another option is following the 12 factor app environment variables pattern.

Anyway, you should use a tool git-secrets to help ensure that you don’t accidentally commit secrets like passwords and API keys or tokens to git.

npm install git-secrets pre-git

Further Reading

If you’re interested in strengthening your skill around Node.js Security practices and avoiding Node.js pitfalls in production I invite you to grab a copy of the book I wrote:

Essential Node.js Security
_Hands-on and abundant with source code for a practical guide to Securing Node.js web applications.Node.js Secure Code…_leanpub.com

Also, you can find a gist of security best practices I helped contribute to in the popular Node.js Best Practices GitHub repo:

i0natan/nodebestpractices
_nodebestpractices - The largest Node.JS best practices list. Curated from the top ranked articles and always updated_github.com

Can’t wait to see your own love poems on twitter!
ping me on https://twitter.com/liran_tal

Happy & Secure Valentine’s day,
Liran 💚