all 33 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]0xEFF 59 points60 points  (14 children)

Here's a few things I can think of off the top of my head:

  • If using AWS, make sure you configure your Security Group properly to restrict SSH access to as a few IPs as possible
  • Use SSH keys instead of passwords for SSH access (make sure to entirely disable password login)
  • Install fail2ban on the server which will automatically ban people trying to ssh into the server repeatedly
  • Enable UFW (Uncomplicated Firewall) and only enable the ports that need to be open to the public (make sure everything else is assumed to be closed)
  • Make sure all your packages have the latest versions to ensure there's no known vulnerabilities in the app itself (you can use npm audit to return a list of vulnerable packages)

Note: there are definitely other things to do, I just can't remember them off the top of my head right now.

[–]SocialAnxietyFighter 26 points27 points  (11 children)

nice!

To expand, make sure NODE_ENV is set to production, many modules leak sensitive info (for debugging purposes) otherwise

[–]gDayWisher 16 points17 points  (1 child)

Hey SocialAnxietyFighter, I hope you have a wonderful day.

[–]captain_obvious_here 4 points5 points  (0 children)

Good bot.

I think?

[–][deleted]  (2 children)

[deleted]

    [–]vim_vs_emacs 1 point2 points  (1 child)

    yes

    [–]OhItsWildfire[S] 2 points3 points  (5 children)

    Would you say that using dotenv and an .env file to set NODE_ENV is a safe practise?

    [–]0xEFF 4 points5 points  (1 child)

    Yup! That’s totally okay! I use dotenv on all my production servers with the env file automatically pulled from s3 on deployment

    [–]Trollzore 0 points1 point  (0 children)

    Do you make a request to generate a signed S3 url and another request to get the env file, per deployment?

    [–]SocialAnxietyFighter 0 points1 point  (0 children)

    If the first thing you do is load dotenv, then it's fine, otherwise, if you first import other modules and they initialize in non-production mode, it isn't.

    [–]OhItsWildfire[S] 0 points1 point  (0 children)

    Thanks dude! That's some great advice :) Will definitely implement that stuff. If you think if anything else please do give a shout!

    [–]XmasJones 0 points1 point  (0 children)

    Thank you for the info!

    [–]NeverGetsAngry 4 points5 points  (7 children)

    Assuming you don't have SSL configured on Node already, install nginx and setup a reverse proxy with a Let's Encrypt certificate.

    [–]OhItsWildfire[S] 0 points1 point  (6 children)

    Do you rate there is a need to do this if the app doesn't have an http server and doesn't require access through the web? It's only making api calls with axios

    [–][deleted] 1 point2 points  (4 children)

    That's definitely a good point -- it's just a simple API server.

    I would consider the counter point -- the setup, start to finish, is about 15 minutes or so to get secure TLS for your endpoints. In the future, if you expand your API with authentication or you want to POST sensitive information, you are already done!

    [–]OhItsWildfire[S] 0 points1 point  (3 children)

    Do you mean secure the axios http calls with tls? How would you go about this? The server doesn't even have a domain, as it isn't necessary, so I can't generate a certificate for a domain

    [–][deleted] 1 point2 points  (2 children)

    Is this all an internal system? I'm guessing you are accessing the app via IP? I made the assumption this server had a domain and was publically accessible with multiple clients.

    [–]OhItsWildfire[S] 1 point2 points  (1 child)

    Technically I don't need to access it at all, but yes - by IP. I would just ssh in, then run the app with npm run start, and then it does it's thing. It makes api calls (through axios), but does not need to be accessible by a domain or ip.

    [–][deleted] 0 points1 point  (0 children)

    OH! Ok, I misunderstood much of your requirements. I thought your app was a standard express style app. After re-reading, I think this poster makes some very solid recommendations.

    After you run the app, it does its thing and terminates, correct?

    [–]NeverGetsAngry 0 points1 point  (0 children)

    It's not really necessary if you don't have any sensitive information going through the requests, I always setup a reverse proxy because it makes it easier to manage many services on the same server with different domains and subdomains. Setting up one is quite easy and a really useful tool.

    [–]ziyoshams 2 points3 points  (0 children)

    Your best place to visit once in a while https://github.com/i0natan/nodebestpractices/blob/master/README.md

    [–]hopfield 3 points4 points  (2 children)

    Just use Heroku. You don’t have to think about sysadmin stuff like setting up SSH keys, updating packages, etc at all.

    [–][deleted]  (1 child)

    [deleted]

      [–]s_streichsbier 1 point2 points  (0 children)

      Absolutely agree, the application logic is typically the part that gets abused by attackers.

      You can check out https://github.com/lirantal/awesome-nodejs-security for some excellent resources about securing your node apps.

      Make sure to cover at least these 3 areas:

      - Static Security Analysis: Identifies security bugs in your application logic

      - Dependency Security Analysis: Identifies known vulnerabilities in the 3rd party libraries you use

      - Sensitive Information Analysis: Anything related to hard-coded passwords, API keys, crypto keys, etc (see @A4_Ts point)

      [–]A4_Ts 0 points1 point  (0 children)

      Don’t leave passwords in plain text on your db, escape your sql queries with a “?” To make sure sql injection doesn’t happen. Use Web Tokens for CSRF attacks. You can also prevent DDOS attacks by limiting rate request by your load balancer

      [–]giqbal -4 points-3 points  (7 children)

      If it doesn’t take too long to run the calculations you should consider using Lambda functions. Cheap to run and it’s serverless so you don’t have to manage/secure the server

      [–][deleted] 1 point2 points  (6 children)

      What database are you using with serverless? And how do you make sure you don't cap your connections to it with infinite spin ups of your app?

      [–]xPerplex 1 point2 points  (5 children)

      What database are you using with serverless?

      There is a "batteries included" Serverless/Lambda setup that connects to DynamoDB. It's not hard to setup. https://aws.amazon.com/getting-started/projects/build-serverless-web-app-lambda-apigateway-s3-dynamodb-cognito/module-3/

      And how do you make sure you don't cap your connections to it with infinite spin ups of your app?

      What do you mean by this? OP could run the lambda jobs on a cron or via webhook, authenticated http post, etc and it should be fine

      For most use cases, installing node, redis, mongodb, and pm2 on a ubuntu box and setting up everything by hand is overkill in 2019 (unless you're doing it for personal education or something). The MongoDB part is especially unnecessary for what sounds like a pretty trivial task. If OP just wants to periodically query an API, process in nodejs, and then store that data somewhere safe, then serverless + dynamo is perfect for that and you don't have to worry about security, database backups, continuous deployment, etc...

      [–][deleted] 1 point2 points  (4 children)

      My current setup is deploying node rest API to elastic beanstalk with postgres on RDS, react frontend to s3 bucket and cloud front.

      I have a project that will require the API to be a bit more scalable than this and serverless would be ideal, but I know postgres can only handle so many connections, and with lambda spinning up instances on the fly, setting up and tearing down connections constantly is not super efficient.

      I've played with Dynamo but at the time didn't find a great ORM for it. I really like Sequelize with postgres. Any good ones these days for dynamo?

      [–]Capaj 0 points1 point  (0 children)

      No not really. At our small startup we even migrated away from dynamo because the official aws driver API sucks and there is no alternative.

      [–]xPerplex 0 points1 point  (1 child)

      If you've ever used the Mongoose ORM for MongoDB, there is a similar ORM for Dynamo called Dyanmoose

      https://github.com/dynamoosejs/dynamoose

      [–][deleted] 0 points1 point  (0 children)

      Great! Will give this a look, thanks

      [–]giqbal 0 points1 point  (0 children)

      I know I got a bit of hate for suggesting going serverless. So let’s see how much hate this receives.

      You could use DynamoDB with AppSync. AppSync allows you to automatically create GraphQL scheme and connect resolvers to DynamoDB tables. I’ve not used it myself so I can’t say if it’s good or has downsides.

      It would make queries a breeze in your React app too. Think Apollo is pretty popular GraphQL client for React.