Node.js is getting more and more mature, no doubt - despite this, not a lot of security guidelines are out there.
In this post I will share some points you should keep in mind when it comes to Node.js security.
* No eval, or friends * Strict mode, please * Static code analysis * Testing * Say no to sudo node app.js * Avoid command injection * Temp files * Securing your web application * Tools to use * Stay updated
If you use PaaS to host your application, you often end up with lots of small "containers", and with each instance of your app running in another virtual machine. As a result, the instances don't share memory.
How you decide to allow objects to talk to each other has pro’s and con’s for each method and it’s good to know your options as you can use many together in effective hybrid approaches.This article will cover the 5 common ones you’ll often encounter.We’ll cover:* Callbacks* Events* Pub Sub* Promises* Streams
Always Use Asynchronous MethodsNever require Modules Inside of FunctionsSave a reference to this Because it Changes Based on ContextAlways “use strict”Validate that Callbacks are CallableCallbacks Always Pass Error Parameter FirstAlways Check for “error” in CallbacksUse Exception Handling When Errors Can Be ThorwnUse module.exports not just exportsUse JSDocUse a Process Manager like upstart or foreverFollow CommonJS Standard
Via Jan Hesse
At work, one thing we are building is a web application that depends on polling a data service through a REST API. It's nothing terribly complex, but I picked up the task of testing that the service provides what it is expected to, especially as further development continues. It's a tedious and mundane task to do manually, so I turned to developing a test suite built on node.js along with two excellent testing libraries, Jasmine.js and Frisby.js. I had some experience with Jasmine, but I had never used Frisby before. Within a couple of hours I was up and running with a decent test suite and overall I am quite pleased with how slick the whole system is.
One of the reasons for AngularJS’ success is its outstanding ability to be tested. It’s strongly supported by Karma (the spectacular test runner written by Vojta Jína) and its multiple plugins. Karma, combined with its fellows Mocha, Chai and Sinon, offers a complete toolset to produce quality code that is easy to maintain, bug-free and well documented.
Tests must define the code’s API. This is the one principle that will guide us through this journey. An AngularJS application is, by definition, composed of modules. The elementary bricks are materialized by different concepts related to the granularity at which you look at them. At the application level, these bricks are AngularJS’ modules.
Using Favatron as a guide, I will take you through the entire process of creating a fully functional production ready Node web application. Some of the many parts we will touch on include authorization, user accounts, data storage, background workers, security, email, APIs, RSS, third party service integrations, and much more.
I am proud to introduce Twitatron, the web application we will be making. Twitatron will automatically monitor your Twitter account for mentions. When it finds those mentions, it will process them, store them, show them in the UI, expose them via an API endpoint and RSS feed, send an email digest, and share weekly stats with integrated social networks.