Is nodejs secure as is?

Question

I have a linux box and just installed nodejs. A lot of the examples I see just do a specific function but dont see anywhere that they "secure" the nodejs server? For example for php I would use sessions to secure an area of my website. Is nodejs ok as is? Does it need additional settings or code in a nodejs to make sure only the right people are accessing it? Or is it ok right "out of the box"?

Answer 1

Node.js isn't in itself a web server. It's an asynchronous event engine programmed in Javascript. :)

PHP doesn't serve the output it generates. This task is left to a web server like Apache or IIS. PHP comes with a Session Management module (exposed through the super-global $_SESSION variable), whereas Node.js comes with a web server module ("http").

Node.js lets you do both in one environment because it lets you and your program instantiate a web server yourself. That makes it very, very easy to expose functionality to the web as a plain old HTTP(s) web server whereas with PHP your environment is restricted by the web server configuration.

In fact, think of the 'http' module more of like an implementation of the HTTP protocol in an eventful manner. If you need a "real" web server, a project like express will be much more suitable for you, because it comes with features that a web server like Apache would provide.

Incidentally, the express framework already provides session support.

So, to actually answer your question(s): Yes, Node.js is ok as is because it is not a web server in itself. When you pull in modules you must take into account their settings. You are in full control over the "user agent experience."