💡 Handy Tips

A collection of 124 tips that come in real handy when you need them. Originally posted as tweets on my Twitter account, and now gathered here so you can browse them easily.

Well-Known URL for Changing Passwords

💡 Help your users easily change their passwords by providing a *well-known* URL.

👉🏼 Redirect a request to "/.well-known/change-password" to the change password page on your site.

Spec: https://w3c.github.io/webappsec-change-password-url/

In Chrome's check password feature the change password button leads .well-known/change-password page at the website's domain.

Strict vs Non-Strict Mode in ECMAScript

💡 If you're not using ES Modules (import/export), using "use strict" is still relevant today.

👉🏼 An example of something crazy you can do in sloppy mode.

➡️ var let = 5

Read on the diff between sloppy and strict modes: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Strict_mode/Transitioning_to_strict_mode#Differences_from_non-strict_to_strict

In non-strict mode you can use a reserved keyword such as let as a variable name. In strict mode the JavaScript compiler throws a SyntaxError.

Protect Against Parameter Pollution in Express

💡 HTTP Parameter Pollution (HPP) is an attack in which multiple params are sent with the same name, causing your Node.js app to parse them differently.

👉🏼 Use hpp with Express to always resolve with the last value as a String.

🔗 https://www.npmjs.com/package/hpp

Without HPP Protection, parameter type changes from string to array on multiple values. The hpp package for Express protects always resolves to the last value and thus type will always be the same.

Nginx Configuration for Websocket Applications

💡 Using Nginx as a reverse proxy for your Node.js websocket app?

👉🏼 Add the following config lines to Nginx to make it all work smoothly.

To have Nginx work smoothly with Websocket apps, use proxy_http_version 1.1 and set the following headers with proxy_set_header: Upgrade $http_upgrade, Connection $http_connection, Host $host.

Automatic Restart on System Reboot With PM2

💡 Using PM2 with Node.js?

👉🏼 Your app won't start automatically when the system reboots unless you configure PM2 to run as a daemon service:

1. ➡️ pm2 startup
2. Run the command printed out
3. Start your Node.js app(s)
4. ➡️ pm2 save

🔗 https://pm2.keymetrics.io/docs/usage/startup/

Quickly Navigate to Folder in Shell

💡 Are you often navigating to the same folders in the terminal?

👉🏼 Add the folders as variables in your source file and type:

➡️ cd $myproject

instead of:

➡️ cd /Users/maxim/Code/myproject

Enable using variables with cd in Z Shell with: setopt cdablevars and in Bash with: shopt -s cdable_vars. Then run export yourapp="path/to/yourapp" after which you can use cd $yourapp.

Check If Port Is Open to Public

💡 Want to check if a port is open for the public and not blocked by the firewall?

Which command was it again — ss, netstat, lsof or nmap? 🤔

👉🏼 Stop Googling and go to https://www.canyouseeme.org/ . An open port check tool right on the web.

Use Native Promises With Node.js fs Module

💡 Have you been promisifying the fs module in Node.js all this time like I did?

👉🏼 Not anymore! Node.js >= 10 ships with a native promise implementation of the fs module. #latetotheparty 😅

➡️ require('fs/promises')

Use the built-in promisified version of fs module in Node.js by importing fs/promises.

Relinquish Process Privileges in Node.js

💡 Running Node.js as root so you can bind to ports 80/443?

👉🏼 You can relinquish privileges with "process.setuid()" & "process.setguid()" to reduce the damage potential in case of a breach. Do this right after the app starts.

Inside the callback function for server.listen, change process user with process.setuid('nodejs') and process.setguid('nodejs') to relinquish privileges and reduce damage potential in case of a breach.

Measure Execution Time With console.time

💡 Need to find out how long a section of code or external request takes to complete?

👉🏼 A way to quickly measure this is to use console.time & console.timeEnd.

To start the timer, use console.time('fetch'). console.timeEnd('fetch') ends the timer and outputs the time in milliseconds.