How can Node.js be a replacement for the server side when users can see the files?

[Aleksandra Czajka]

I'm looking into Node.js to replace my server side for the next projects I work on. One of the greatest benefits of using server side is that communication of sensitive data is done from server and not from js files that everyone can not only view the static source of, but, also very easily trace the communication. I was researching how node.js makes sure that the .js files are not visible to users and from what it seems like, they're not doing that at all. 

So, my question is, what is node.js suggesting we do with the sensitive data? I mean, we can surely encrypt the js files, but, why would I want to add this complexity?

[Angel Java Lopez]

Hi!

I'm not understanding your question, English not my strong point ;-)

Are you talking about web application? Node.js doesn't expose server side .js files to users. In case you are using a web framework like Express, only the .js files under the public folder are visible to client users

Angel "Java" Lopez

@ajlopez

On Thu, Sep 18, 2014 at 1:24 PM, Aleksandra Czajka <aleks...@gmail.com> wrote:

I'm looking into Node.js to replace my server side for the next projects I work on. One of the greatest benefits of using server side is that communication of sensitive data is done from server and not from js files that everyone can not only view the static source of, but, also very easily trace the communication. I was researching how node.js makes sure that the .js files are not visible to users and from what it seems like, they're not doing that at all. 

So, my question is, what is node.js suggesting we do with the sensitive data? I mean, we can surely encrypt the js files, but, why would I want to add this complexity?

--
Job board: http://jobs.nodejs.org/
New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.
To post to this group, send email to nod...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/e8dc91a7-19ee-4a42-a7cb-0be5cb29abcb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ahmed Eldosoukey]

Hi,

  It seems like there's a misconception here.

  Node.JS does run the JS files you write in a process running on server side. Using JS for programming doesn't mean they'll be transferred to the browser to run them.

  If I understand you well, so, your issue doesn't really exist. What you really expose to the public world is an API from Node.JS to use it. If you're serving public client-side JS files, they shouldn't contain any sensitive information, they'll just include how to represent things on a browser.

Regards,

Ahmed

[Floby]

Hello,

I would be very curious to know where you read that Node.js exposes JS files to the world. I would personally send an e-mail to the authors to let them know how wrong it is.

Node.js is a platform that you can script using JavaScript. JavaScript is the language in which you write your code. This is the only thing in common it has with web browsers. It executes code on the server. It doesn't even have to be a server by the way.

[Jimb Esser]

Depending on what "users" the original poster is referring to - if you are selling a server to your clients, using Node does expose all of your server source code to your "users".  However, thinking that the traditional method of selling a compiled executable with "sensitive data" compiled and encrypted in it provides security would also be incorrect - anything that's running on a user's machine can be disassembled, debugged, reverse engineered.  However, that is much, much more difficult than just reading the source code provided as plaintext with the server, so there is a somewhat legitimate concern there.  Best way around it (and may also be good for lots of other business reasons) seems to be to sell them a hosted services where you run the servers =).

[Albert Engelbrecht]

Unless someone has access to the server, they should not be able to view the server's source at all.

If you are finding that your files are being transmitted, I would look at how you are setting up your server.  Either the reverse proxy you are using is serving your whole application directory, or your Node application is serving all the files in the current directory, not just limiting itself to your public folder. 

[Albert Engelbrecht]

...And after hitting post I realize this question has a ton of answers, sweet!