Security in Node.JS Webserver
So, I'm in the middle of learning my way around Node.JS, and so far I'm loving it. I've got a couple projects already at work that I think I can utilize nodejs in.
I'm worried, though, about security. If I write a custom webserver using Node.JS's http module, am I likely to be super vulnerable to attacks? Apache/IIS have had years (and years and years) of professional teams building security into their webservers, and still people continue to find holes.. Is it likely that my homebrewed webserver will be much more open to attack?
What things can I focus on to build a good layer of security into my webserver? Are there any good articles out there that cover the topic?
Answer
The reason why there are years and years of professional teams building security into Apache / IIS is because those are all encompassing servers. They can have all types of services on by default running version X of software that needs to be patched when some hole is found, etc.
One of the great things I find about Node.JS is that you tell it what you want to run on the OS level for your specific application. No middle man layer if you don't want it. All I have to worry about if I host it on a server I administer is OS level ports and the web application code. No Apache config files, module updates, etc.
So when it comes to security in Node.JS worry about scrubbing outside information before acting on it, verify identity on potentially harmful actions, etc. Be as closed as possible. Use SFTP to transfer your files to the remote hosting server and just have the necessary ports open for your web application to function properly.