Intro

Previously we talked about Node.js best practices then best practices again and how to run Node.js in production.

In this post I'd like to give you a general checklist what you should do before going to production with Node.js. Most of these points are not just applying to Node.js, but every production systems.

Disclaimer: this checklist is just scratching the surface - every production deployment is different, so make sure you understand your system, and use these tips accordingly.

Deployment

Even in bigger systems we see lots of manual steps involved in deployment. This approach is very error prone - in case someone forgets something, you will have a bad time. Never do deployment manually.

Instead you can use tools like Codeship or Shippable if you are looking for hosted solutions, or Jenkins if you are going to set up a more complex pipeline.

Speaking of deployment: you may want to take a look at immutable infrastructures as well, and what challenges they can solve for you.

Security

Security is the elephant in the room - but it shouldn't be. Let's take a look at some of the possible security issues, and how you can fix them.

NPM Shrinkwrap

npm shrinkwrap  

This command locks down the versions of a package's dependencies so that you can control exactly which versions of each dependency will be used when your package is installed.

Uhm, ok, but why do you need this? Imagine the following scenario - during development everything works as expected, all your tests pass, but your production environment is broken. One of the reasons can be, that a new version of the package you are using was released which contained breaking changes.

This is why you should use SemVer as well - but still, we make mistakes, so we better prepare for them. Before pushing your changes to production, use npm shrinkwrap.

Node Security Project CLI

Once you have your npm-shrinkwrap.json, you can check if they have known vulnerabilities.

For this you have to install nsp using npm i nsp -g.

After that just use nsp audit-shrinkwrap, and hopefully you will get No vulnerable modules found as a result. If not, you should update your dependencies.

For more on Node.js Security you should watch Adam Baldwin's talk and read our blogpost dealing with Node.js Security.

Use VPNs and Private Networks

Private networks are networks that are only available to a restricted set of users and servers.

A VPN, or virtual private network, is a way to create secure connections between remote computers and present the connection as if it were a local private network. This provides a way to configure your services as if they were on a private network and connect remote servers over secure connections. - Digital Ocean

But why? Using VPNs you can create a private network that only your servers can see. With this solution your communication will be private and secure. You only have to expose the interfaces that your clients actually need - no need to open up a port for Redis or Postgres.

Logging

In short: log everything, all the time - but not just in your Node.js application, but on the operating system level as well. For this one of the most popular solutions is to use Logstash.

But why do you need logging? Just a couple of the use cases: (sure, sometimes they overlap)

  • find problems in applications running in production
  • find security holes
  • oversee your infrastructure

Speaking of Node, you can use either Winston or Bunyan to do logging.

You can check out related blogposts by Pinterest and Cloudgear as well.

Monitoring & Alerting

Monitoring is crucial - but not just in mission critical systems. If something bad happens, like your landing page is not showing up, you want to be notified about it.

There are tons of tools out there coming to the rescue like Zabbix, New Relic, Monit, PagerDuty, etc. The important thing here is to pick what suits you the best, and use that - just make sure you have it set up. Do not have illusions that your system won't fail - I promise you, it will and you are going to have a bad time.

For a more detailed talk on monitoring I strongly suggest you to watch the following video on monitoring the Obama campaign.

Caching Node.js Production Applications

Cache (almost) everything - by caching I don't only mean the classical HTTP caching, but on the database level as well.

The whys:

  • smaller load on your servers -> cost-effective infrastructure
  • faster responses to the clients -> happy users

Speaking of HTTP REST APIs it is really easy to implement caching, but one thing you should keep in mind: GET endpoints can be cached, but PUT, POST, & DELETE endpoints cannot.

For a reference implementation I would suggest you to read API Caching 101 by Fastly.

Outro

This checklist applies to most systems, not just to the ones implemented in Node.js. As this list just scratching the surface, I would like to ask you: what would you add to the list? All comments/feedbacks are very welcomed!

Recommended reading

A step-by-step guide on how to set up your own Node.js production environment.