Node.js Best Practices

Node.js Best Practices — Security and Setup

Spread the love

Like any kind of apps, JavaScript apps also have to be written well.

Otherwise, we run into all kinds of issues later on.

In this article, we’ll look at some best practices we should follow when writing Node apps.

Configure 2FA for NPM or Yarn

We should enable 2-factor authentication for our package repositories so that attackers can’t get to them easily.

Having it on will leave zero chance that attackers can access our repos.

Modify Session Middleware Settings

Session middleware settings should be modified to not expose anything that’ll help attackers.

For example, the X-Powered-By header should be removed.

This way, attackers can’t identify what framework we’re using.

Cookies should also be sent over a secure connection.

Then attackers can’t tap in our connection to get the information they want.

Avoid DOS Attacks by Explicitly Setting when a Process Should Crash

If our processes are overloaded, then they should crash so that we can handle these situations gracefully by catching these errors.

This means that attackers can’t keep up their DOS attacks and prolong the downtime of our services.

Also, we should alert ourselves when these events occur.

Prevent Unsafe Redirects

We shouldn’t let attackers redirect users to wherever they want.

To prevent this, we make our own URLs so that the redirects always redirect to where we want instead of where attackers want.

Avoid Publishing Secrets to the NPM Registry

The NPM registry isn’t used for storing secrets.

Therefore, we should avoid publishing any secrets there.

To do that, we can add whatever we don’t want to publish to the .npmignore file.

This way, we won’t expose API keys, passwords, and other secrets to the public.

Don’t Block the Event Loop

Our code shouldn’t block the event loop.

This is because Node apps are single-threaded.

This means that we should use async code for long-running processes.

Synchronous code that takes a long time to run will keep the rest of our app from running.

Using async code, users won’t see delays.

Prefer Native JS Methods Over 3rd Party Utilities Like Lodash

If there’re native JavaScript methods available, then we should use them instead of 3rd party libraries.

The fewer dependencies are required, the faster and smaller our app would be.

For instance, instead of Lodash array methods, we should array methods in native JavaScript.

Start Every New Project with npm init

We should start every new project with npm init so that we have a package.json in our project.

Also, we can add --yes to set all the options with the default values.

For example, we can write:

$ mkdir my-app  
$ cd my-app  
$ npm init --yes

Then we create the my-app project folder with a package.json with the default options.

Use ES6+

It’s time to use the latest JavaScript features.

They’re much better than the old syntaxes.

It’s supported by the latest versions of Node.

So we should use features like arrow functions, spread and rest, and more.


We should stick with some good practices like using modern features, async code, and more.

By John Au-Yeung

Web developer specializing in React, Vue, and front end development.

Leave a Reply

Your email address will not be published. Required fields are marked *