Node.js appeared when the engineers of JavaScript expanded it from something you could just keep running in the BROWSER to something you could keep running on your machine as an independent application. The Node run-time environment incorporates all that you have to execute a program written in JavaScript.

Here are some best PRACTICES to make your NodeJS application secure:

• Limit the number of concurrent requests through MIDDLEWARE such as cloud firewalls, cloud load balancers, etc.
• Adjust the HTTP response using secure headers for enhanced SECURITY and blocking vulnerabilities such as XSS, clickjacking, etc.
• Use a secure hash + salt function such as bcrypt to store passwords, API keys, and secrets INSTEAD of Node.js crypto library.
• Limit brute-force authorization attacks by limiting the number of failed login attempts and, in such a case, ban the user's IP address.
• Limit your payload size by using a reverse-proxy or a middleware.
• Avoid pushing secrets on to the npm registry.
• Use cookies securely
• Ensure the security of all your dependencies