In this post I'd like to give you a general checklist what you should do before going to production with Node.js. Most of these points are not just applying to Node.js, but every production systems.
Disclaimer: this checklist is just scratching the surface - every production deployment is different, so make sure you understand your system, and use these tips accordingly.
Even in bigger systems we see lots of manual steps involved in deployment. This approach is very error prone - in case someone forgets something, you will have a bad time. Never do deployment manually.
Speaking of deployment: you may want to take a look at immutable infrastructures as well, and what challenges they can solve for you.
Security is the elephant in the room - but it shouldn't be. Let's take a look at some of the possible security issues, and how you can fix them.
This command locks down the versions of a package's dependencies so that you can control exactly which versions of each dependency will be used when your package is installed.
Uhm, ok, but why do you need this? Imagine the following scenario - during development everything works as expected, all your tests pass, but your production environment is broken. One of the reasons can be, that a new version of the package you are using was released which contained breaking changes.
This is why you should use SemVer as well - but still, we make mistakes, so we better prepare for them. Before pushing your changes to production, use
Node Security Project CLI
Once you have your
npm-shrinkwrap.json, you can check if they have known vulnerabilities.
For this you have to install nsp using
npm i nsp -g.
After that just use
nsp audit-shrinkwrap, and hopefully you will get
No vulnerable modules found as a result. If not, you should update your dependencies.
For more on Node.js Security you should watch Adam Baldwin's talk and read our blogpost dealing with Node.js Security.
Use VPNs and Private Networks
Private networks are networks that are only available to a restricted set of users and servers.
A VPN, or virtual private network, is a way to create secure connections between remote computers and present the connection as if it were a local private network. This provides a way to configure your services as if they were on a private network and connect remote servers over secure connections. - Digital Ocean
But why? Using VPNs you can create a private network that only your servers can see. With this solution your communication will be private and secure. You only have to expose the interfaces that your clients actually need - no need to open up a port for Redis or Postgres.
In short: log everything, all the time - but not just in your Node.js application, but on the operating system level as well. For this one of the most popular solutions is to use Logstash.
But why do you need logging? Just a couple of the use cases: (sure, sometimes they overlap)
- find problems in applications running in production
- find security holes
- oversee your infrastructure
You can check out a related blogpost by Pinterest.
Monitoring & Alerting
Monitoring is crucial - but not just in mission critical systems. If something bad happens, like your landing page is not showing up, you want to be notified about it.
There are tons of tools out there coming to the rescue like Zabbix, New Relic, Monit, PagerDuty, etc. The important thing here is to pick what suits you the best, and use that - just make sure you have it set up. Do not have illusions that your system won't fail - I promise you, it will and you are going to have a bad time.
For a more detailed talk on monitoring I strongly suggest you to watch the following video on monitoring the Obama campaign.
Caching Node.js Production Applications
Cache (almost) everything - by caching I don't only mean the classical HTTP caching, but on the database level as well.
- smaller load on your servers -> cost-effective infrastructure
- faster responses to the clients -> happy users
Speaking of HTTP REST APIs it is really easy to implement caching, but one thing you should keep in mind: GET endpoints can be cached, but PUT, POST, & DELETE endpoints cannot.
For a reference implementation I would suggest you to read API Caching 101 by Fastly.
This checklist applies to most systems, not just to the ones implemented in Node.js. As this list just scratching the surface, I would like to ask you: what would you add to the list? All comments/feedbacks are very welcomed!
- A step-by-step guide on how to set up your own Node.js production environment.