Wednesday, May 2, 2012

How robust is nodejs as an http server?


If I use the http module of nodejs to make a simple http server, how much validation/checking do I have to do?



Does the module take care of security issues like malformed requests and requests with malicious header values? Does the module ensure that everything follows the http spec, or do I have to do a lot of checking to make sure that my server isn't easy to crash?



Edit: Let's say nodejs doesn't do any real validation, which I'm pretty sure is the case. What do I have to do to make sure my server isn't easily crashable?


Source: Tips4all

2 comments:

  1. What is a malicious header value? Node is low level, so a lot of things aren't checked. But you have to look at those things. But it isn't like someone can send "execute 0xFA894224" or something. The only holes it's likely to have are things like allowing malformed request (eg, maybe you might get request.location: "\*\*\* CHINAAA \*\*\*", forgetting to launch a socket close event, or throwing a JavaScript error and gracefully terminating.

    You can always check yourself for these things, or use a try catch block, process.on, etc. Of course, it's not to say there might not be a buffer overflow or something somewhere, but it is unlikely considering node is built on top of v8, and many of the libraries are pure JavaScript

    Edit:
    How to stop random crashes:

    process.on('uncaughtException',function() {
    /* ignore error */
    });

    ReplyDelete
  2. NodeJS wasn't made to be used as a world-facing HTTP server. It's HTTP capabilities can, however, be used to proxy requests to a proper web server.

    Off-topic, but Nginx is really good at doing this, as it holds a steady-ish number of threads.

    ReplyDelete