Like any kind of apps, JavaScript apps also have to be written well.
Otherwise, we run into all kinds of issues later on.
In this article, we’ll look at some best practices we should follow when writing Node apps.
Configure 2FA for NPM or Yarn
We should enable 2-factor authentication for our package repositories so that attackers can’t get to them easily.
Having it on will leave zero chance that attackers can access our repos.
Modify Session Middleware Settings
Session middleware settings should be modified to not expose anything that’ll help attackers.
For example, the X-Powered-By
header should be removed.
This way, attackers can’t identify what framework we’re using.
Cookies should also be sent over a secure connection.
Then attackers can’t tap in our connection to get the information they want.
Avoid DOS Attacks by Explicitly Setting when a Process Should Crash
If our processes are overloaded, then they should crash so that we can handle these situations gracefully by catching these errors.
This means that attackers can’t keep up their DOS attacks and prolong the downtime of our services.
Also, we should alert ourselves when these events occur.
Prevent Unsafe Redirects
We shouldn’t let attackers redirect users to wherever they want.
To prevent this, we make our own URLs so that the redirects always redirect to where we want instead of where attackers want.
Avoid Publishing Secrets to the NPM Registry
The NPM registry isn’t used for storing secrets.
Therefore, we should avoid publishing any secrets there.
To do that, we can add whatever we don’t want to publish to the .npmignore
file.
This way, we won’t expose API keys, passwords, and other secrets to the public.
Don’t Block the Event Loop
Our code shouldn’t block the event loop.
This is because Node apps are single-threaded.
This means that we should use async code for long-running processes.
Synchronous code that takes a long time to run will keep the rest of our app from running.
Using async code, users won’t see delays.
Prefer Native JS Methods Over 3rd Party Utilities Like Lodash
If there’re native JavaScript methods available, then we should use them instead of 3rd party libraries.
The fewer dependencies are required, the faster and smaller our app would be.
For instance, instead of Lodash array methods, we should array methods in native JavaScript.
Start Every New Project with npm init
We should start every new project with npm init
so that we have a package.json
in our project.
Also, we can add --yes
to set all the options with the default values.
For example, we can write:
$ mkdir my-app
$ cd my-app
$ npm init --yes
Then we create the my-app
project folder with a package.json
with the default options.
Use ES6+
It’s time to use the latest JavaScript features.
They’re much better than the old syntaxes.
It’s supported by the latest versions of Node.
So we should use features like arrow functions, spread and rest, and more.
Conclusion
We should stick with some good practices like using modern features, async code, and more.