In a previous blog post I mentioned ways to secure your ExpressJS instance. This included both using third party modules and modifications to the default configuration of Express.
The blog post received great feedback, so we decided to create a skeleton that showed how to handle the security concerns addressed. The skeleton is a great starting point for a secure ExpressJS application and this post will cover the details getting started with it and what it covers for you out of the box.
The source code for the skeleton can be found here dead-simple-express.
Check out the secure branch for all the details.
The following instructions are done with an OSX machine in mind, so modify accordingly.
Make sure to have mongodb installed
brew install mongodb
git clone https://github.com/jeremybuis/dead-simple-express.git && cd dead-simple && rm -rf .git
Navigate to http://localhost:4000 to view the basic page, keeping in mind its a starting point project, so things are pretty bare.
My preference to set something like this up in production is to put your express server behind a nginx proxy.
The proxy handles ssl termination and routes traffic to your express server. It also handles serving static resources. This way your express app is only handling app specific routes that have business logic attached to them.
This setup allows you to not run the express instance as root as it doesnt need to be bound to a port lower than 1024.
Thats all for now folks