💚 3 Valentine’s Poems for a Beloved & Secure Node.js App

Dedicated to everyone whom are helpless romantics as I am, and hopelessly in-love with their Node.js apps.

In a Relationship You Respect a Spouse’s Privileges!

Roses are red,

Violets are blue,

Never run node with su__

If you’re brain didn’t auto-complete that — You never want to run the Node.js process, or an npm install with a superuser privileges, such as the common mistake:

# don’t do this!
sudo node index.js

It Is Important To Listen

Roses are red,

Violets are blue,

Never write a regex, or you’ll DoS your task que__

If you’re brain didn’t auto-complete that — You want to avoid as much as you possible writing any custom regex code on a JavaScript app (browser or Node.js), due to the fact that regular expressions require compute cycles and it is easy to write a bad regex that can lead to denial of service by blocking the event loop.

Instead, use a common validation library such as one from below, or run your regex through safe-regex to validate the pattern.

npm install validator joi safe-regex

Secrets Should Remain Secret

Roses are red,

Violets are blue,

Committing secrets to git? Shame on you!

Plain-text secrets in your source code is bad, and worse when they get pushed to a repository, public or private. One workaround is to encrypt them at rest in source code but that’s not very manageable and has a lot of downsides, a better one is using a service over secure wire to access them. Another option is following the 12 factor app environment variables pattern.

Anyway, you should use a tool git-secrets to help ensure that you don’t accidentally commit secrets like passwords and API keys or tokens to git.

npm install git-secrets pre-git

In a Relationship You Respect a Spouse’s Privileges!

It Is Important To Listen

Secrets Should Remain Secret

Further Reading