Home » Nodejs » Is nodejs secure as is?

Is nodejs secure as is?

Posted by: admin November 30, 2017 Leave a comment


I have a linux box and just installed nodejs. A lot of the examples I see just do a specific function but dont see anywhere that they “secure” the nodejs server? For example for php I would use sessions to secure an area of my website. Is nodejs ok as is? Does it need additional settings or code in a nodejs to make sure only the right people are accessing it? Or is it ok right “out of the box”?


Node is, essentially, just a web server. It doesn’t have any idea who are the “right people” to be accessing it, and will by default serve requests to any and all comers.

If you require specific access control mechanisms, it is your responsibility to implement that yourself.


Node.js isn’t in itself a web server. It’s an asynchronous event engine programmed in Javascript. 🙂

PHP doesn’t serve the output it generates. This task is left to a web server like Apache or IIS. PHP comes with a Session Management module (exposed through the super-global $_SESSION variable), whereas Node.js comes with a web server module (“http”).

Node.js lets you do both in one environment because it lets you and your program instantiate a web server yourself. That makes it very, very easy to expose functionality to the web as a plain old HTTP(s) web server whereas with PHP your environment is restricted by the web server configuration.

In fact, think of the ‘http’ module more of like an implementation of the HTTP protocol in an eventful manner. If you need a “real” web server, a project like express will be much more suitable for you, because it comes with features that a web server like Apache would provide.

Incidentally, the express framework already provides session support.

So, to actually answer your question(s): Yes, Node.js is ok as is because it is not a web server in itself. When you pull in modules you must take into account their settings. You are in full control over the “user agent experience.”


I noticed that the examples for http.createServer are insecure, if you don’t qualify paths as being allowed. e.g.: I was able to fetch http://localhost/../../../../../etc/passwd with curl.

I solved the problem by not allowing any files to be served that aren’t in the current directory.

var filename = path.normalize( path.join(process.cwd(), uri) );

if (filename.indexOf(__dirname) == 0 ) {
    path.exists(filename, function(exists) {


Node.js is just the environment in which your server side javascript would run from the modules you create. It provides you with many built-in libraries/modules such as http/https. Anything and everything around security, authentication, and authorization has to be written by you or incorporated using open source modules. If you’re writing a web app, look at Express as your framework and use its session functionality to help build things out.

With respect to securing the server from an infrastructure standpoint, you can place it behind a reverse proxy like NGiNX and use a firewall to only open up the NGiNX port 80 or 443 depending on your needs. This is usually handy as you’ll run multiple instances of Node to match your CPU core count and the reverse proxy can round robin between these while allowing you to keep ports closed.


Express supports session but i’ve read some article that it is advisable not to use session if
for performance cause it allocates memory. I’ve used sessionStorage to save its clients username and password. The issue is a hacker can access through console so i find some password decryption javascript library like sjcl (http://crypto.stanford.edu/sjcl/). But then
another issue is still sjcl function can access in the console. so what i’ve done is rewriting
the function when the user is online.

   #offline - sjcl can access in console
   #online - override the sjcl to prevent access in console
   window.sjcl = -> "back-off hacker!"

What i’ve done is sending the username and password to the server when its reload through sessionStorage so that it will check and respond the proper page(offline or online) for you.

But of course this security is for average website only, it feels don’t recommend to some banks or governments. I hope you get the idea.. ^_^

ps. i’m using angularjs and express.io