Is your Node.js application production ready?
In the last two articles of the Node.js blog series, we discussed how Node.js has made inroads into enterprises application development and the popular Node.js editors and modules which make the development faster.
As you start developing the applications using Node.js, you will need to think how you will ensure your application is production ready. There are some aspects like security, profiling, scalability, concurrency, session management which are really important to make them production ready. In this blog, we are going to see how to handle these aspects using tools available in the Node ecosystem.
What security issues do I need to handle?
Web applications need to handle common security issues like denial of service attack, SQL injection, cross site scripting, etc. irrespective of which language is used for development. Node comes with a lot of modules which help the developers to handle these issues.
For handling the denial of service attacks, developers can make use of npm modules like rate-limiter, which limit how many times a user can try to login in a given timeframe. For handling SQL injection attacks, tool like sqlmap can be used to detect possible SQL injection issues in the application.
To check if any of the node modules used in the application have any known security vulnerabilities, security auditing tool like nsp can be used.
One of the best security practice in web applications is, to set the security related headers like content security, X-XSS protection, X-Frame Options, etc. Helmet is a node module, which is a collection of smaller middleware functions that set security related HTTP headers.
Are there any standard debugging and profiling tools available?
Node provides many debugging and profiling tools. Node Inspector is an npm module which is sponsored by StrongLoop. This tool provides most of the common debugging features like breakpoints, inspecting scopes and variables, CPU and HEAP profiling, etc. Some of the popular IDEs like Web Storm also provide integrated debuggers. Application performance monitoring tool fromAppDynamics, provides features like monitoring at code level depths, diagnose memory leaks, real time detection of errors to minimize application downtime.
New Relic provides performance monitoring tools which can be used for finding bottlenecks in the application, monitors response times, throughput and error rates.
How do I make full use of all CPU cores available on my production servers?
Since Node.js is single threaded, it doesn’t take advantages of multiple cores available on the server. Node cluster module is used to address this. Node cluster starts multiple node processes based on the number of cores available on the server. These child processes share the server ports and communicate with the master process using interposes communication (IPC) mechanisms. This results into the parallel execution of multiple requests.
I know Node is not suitable for CPU bound tasks, still is there any way to address this?
How do I handle the sessions and scale out my application?
Popular Node.js modules like passport.js can be used for user authentication and session management. Passport.js has many features like Single Sign-on with OpenID and OAuth, comes with a lot of commonly used strategies like SAML 2.0 authentication, authentication for popular sites like Facebook, Paypal, etc.
Sometimes Node.js applications need to maintain sessions. Passport.js maintains the sessions in the memory by default. So it prohibits the application from scaling horizontally. If we have multiple node processes running on one or multiple servers, some persistent storage like NoSQL databases (e.g. MongoDB or Redis) should be used to manage sessions which can be accessed by multiple Node processes.
If the sessions are maintained in a common data store, the load balancer can route the requests to available servers and the application can work seamlessly. Even if one of the Node server is down, the load balancer can route the requests to the healthy Node servers.
How important is exception handling and how should I keep Node application up?
For logging the messages and errors, developers commonly use console logging. These functions are synchronous and not suitable for production use. Instead of this, logging frameworks like Winston should be used.
If exceptions are not caught correctly, Node applications crash. To avoid exceptions don’t cause the applications to crash, try-catch blocks can be used in synchronous mode. But try-catch blocks are not useful for handling exceptions in the asynchronous code. Promises handle the exceptions in the asynchronous code, so care must be taken for the asynchronous code to return promises.
Even if the Node application crashes, after taking enough care to handle exceptions, there are ways to restart the application quickly. There are many popular monitoring frameworks which keep on checking the health of node applications. In case of any failures, these frameworks restart the node processes to keep the application up. Forever is a very popular node framework which achieves this.
These are some my thoughts for the making the Node application production ready.
Do you think there are any other aspects which we need to consider?
Happy Node.js development!!!
Image Credits: nodejs.org/