3

Node.js provides us with a very easy way to create a quick server so we don't have to use other's such as Apache or IIS.

This sounds very good but... how secure is node.js server? Can we compare ISS or Apache with node.js which born just a few years ago ?

I've been reading similar questions and some posts about it and they don't seem to inspire much confidence in terms of security. Most of these post are not so recent. Has node.js improved its security during these last years to be able to be used in secure production sites?

It seems to be a large number of big companies making use of node.js but... is it needed an extra effort to secure a site?

I guess using some frameworks such as Express might help on this topic but I'm not sure until which extent.

Community
  • 1
  • 1
Alvaro
  • 40,778
  • 30
  • 164
  • 336
  • 2
    Your second article does not seem to make useful points. It says things like sloppy programming that generates errors in node.js will make the server stop. Duh. Is there any server-based programming language that writing error-prone code won't interrupt the server? It tries to make a big deal out of the use of `eval()` for injection vulnerabilities. First off, run in `strict` mode. Second off, don't use `eval()` - ever. The language does not prevent you from writing stupid, insecure code. Like any other language I know, it requires that you use some security common sense. – jfriend00 Jul 23 '14 at 17:33

1 Answers1

4

Ultimately, Node.js is only as secure as the developers using it care it to be. The Node.js core itself is pretty robust and the team has been doing an incredible job tackling vulnerability issues efficiently. You can check the latest here.

As for building secure apps, I would recommend you try to know more about how to secure your apps from the start rather than later. You can find good resources at nodesecurity.io. One nice point to start is by checking this blog post on how to build secure expressjs apps (the fundamentals apply to any kind of framework)

Nathaniel Ford
  • 20,545
  • 20
  • 91
  • 102
David Dias
  • 1,792
  • 3
  • 16
  • 28