As I get more and more experience with NodeJs and ExpressJs, I find myself looking at production settings and best practices more and more. When I was beginning with Node development, this was far from the case.
This blog post also serves as a reminder for myself to continue to use these tools. These tools are, I feel the best to use as of November 28, 2016. Things change quickly in NodeJs world, so these could be obsolete by the time you read this.
Anyway here are some tools that use in production for an ExpressJs web server. This will be a simple overview of the tools.
Helmet is the easiest way to add some basic security to your ExpressJs web server. It sets the appropriate headers to make you server more then it would be otherwise. It is definitely not all you need on your web server for security, but it’s a great start.
Helmet is also simple to use:
const express = require('express'); const helmet = require('helmet'); const app = express(); app.use(helmet());
The above code will add headers to each request that will do everything from prevent XSS to hide which technology is powering your web server.
I first came across this tool on the ExpressJs Advanced Topics -> Security Best Practices page. It has other great tips as well.
Strongloop is one of the best process managers I’ve used for NodeJs. There is PM2 which great alternative with many of the same features.
One of the features that I particularly like about Strongloop is the easy Build and Deploy feature that can Dockerize and deploy to a remote server from my local machine.
Another handy feature of Strongloop is that it supports third party technologies for statistics. Including any server that supports StatsD.
Here is a nice comparison between Strongloop and PM2. It’s on Strongloop’s website so take it with a grain of salt. PM2 may have gotten support for some of the features that listed as not supported.
This Express middleware makes it pretty easy to minify HTML that your web server will respond with. It’s as simple as that. This module can also minify inline JS.
Minifying the pages reduces the size of the pages, which will help make the browser load the page faster. That’s production systems should always use minification.
This middleware does for everything else what Express-minify-html does for HTML. It has a bit more of an involved setup, but once setup it can minify LESS, SCSS, JSON, and it can cache those files for faster page loads.
Winston is a great module for NodeJs logging. A production system should not be logging to the console window because there are a limited number of lines you can read. Also, a production system should be using the built it console.log() function either because it’s a synchronous function. And you don’t want to do anything synchronously in NodeJs production because that will block the Single NodeJs Thread.
That’s where Winston come in. Winston is an asynchronous logging library with plugins or in Winston terminology, transports, to various different logging outputs. By default the console transport if enabled for Winston. On top of, or instead of, that you can use file transport, MongoDB transport, Redis transport, and many more.
Using Winston or similar asynchronous logging libraries should a regular practice for NodeJS production servers. Even if you’re not running a web server, using Winston will help the performance of you Node App.
An honourable mention to the Compression middleware and its ease of use to compress all requests served by our server. Use the following code to use this middleware with your Express Js server.
var compression = require('compression') var express = require('express') var app = express() app.use(compression())
Hope you found these tools useful. If you have a useful tool or best practice for production Express Js servers, feel free to comment.