Cookie-Based Sessions: Server-Side State, Client-Side ID
Think of a session cookie as a coat check ticket, not the coat itself. The server stores your data and gives you a unique ID to carry in a cookie. This is how Express.js tracks user state across requests.
Docker Compose for Multi-Container Apps
Docker Compose is a conductor for your containers. Instead of running each service manually, you define your app and its database in one YAML file and launch them together. This is standard for local Node.js/Postgres development.
PM2: Zero-Downtime Reloads in Cluster Mode
PM2's `reload` command updates a clustered Node.js app without downtime by restarting processes one by one. Use this for live deployments. The footgun is using it on a stateful app, which will cause data loss unless state is externalized.
Health Check Endpoints: Reporting App Status
A health check is a dedicated endpoint that tells an orchestrator if your app is alive and ready for traffic. Systems like Kubernetes use it to decide whether to send traffic (readiness) or restart a container (liveness).
PM2 Cluster Mode: Scale Node.js Across All Cores
PM2's cluster mode lets your Node.js app run on every CPU core, multiplying its capacity. It's essential for scaling networked apps on a single machine, but requires a stateless design—storing sessions in memory will break things as requests hit different…
PM2: The Process Manager for Production Node.js
PM2 is a process manager that keeps your Node.js apps online. Use it to automatically restart crashed apps, run them in the background, and scale across CPU cores. The footgun is forgetting to run `pm2 save` to make your process list survive server reboots.
Sticky Sessions: Pinning a User to a Server
Sticky sessions pin a user's requests to a single server in a multi-server setup. This is crucial for stateful apps like Socket.IO, where a user's session lives on one machine.
Socket.IO Adapters: Scaling Beyond One Server
Socket.IO adapters let you scale beyond one server. They use a backend like Redis Pub/Sub to broadcast messages across all your instances, so a user on Server A gets events from Server B. The footgun is assuming this handles everything; you still need a load.
Socket.IO Namespaces: Channels on One Connection
Socket.IO namespaces are virtual channels over a single WebSocket connection, letting you split app logic without multiple connections. Use them for separate areas like `/admin` or for multi-tenancy.
Server-Sent Events (SSE): One-Way Data Push from Server
Server-Sent Events (SSE) push data from server to client over one HTTP connection. It's a simpler, one-way alternative to WebSockets for things like live news feeds or status updates.
Socket.IO Rooms: Broadcasting to Subsets of Clients
Think of Socket.IO Rooms as server-side channels for grouping clients. They let you broadcast messages to a specific subset, like a private chat or users following a topic. Remember rooms are a server-only concept; a client can't see which rooms it has joined.
Socket.IO: Broadcasting Events to Clients
Broadcasting sends a server-side event to multiple clients at once, like a public announcement system. Use it for live notifications or game state updates. The footgun: by default, it only reaches clients on the same server; use an adapter for multi-server…
Socket.IO: More Than Just WebSockets
Socket.IO is a library that guarantees real-time, bidirectional communication. It automatically picks the best transport—WebSocket or HTTP long-polling—to ensure your connection works. Use it for chat apps or live dashboards.
SharedArrayBuffer: True Shared Memory for JS Threads
SharedArrayBuffer is a shared whiteboard for JS threads, letting them access the same memory without slow data copies. It's used for high-performance parallel tasks. The footgun: without `Atomics` to coordinate, you'll get race conditions and corrupted data.
HSTS: Forcing Future Connections to Use HTTPS
HSTS is a response header that tells browsers to only use HTTPS for your site, automatically upgrading future HTTP requests. This prevents SSL stripping attacks.
Content Security Policy (CSP): An Allowlist for Browser Resources
Content Security Policy is an allowlist you send to the browser, dictating which scripts, styles, and images are safe to load. It's a primary defense against XSS attacks by blocking unauthorized resources.
Jest: A Batteries-Included JavaScript Test Framework
Jest is a 'batteries-included' JavaScript test framework, bundling a runner, assertions, and mocks for a zero-config experience. It's a go-to for testing Node, React, and TypeScript apps. Footgun: Snapshot tests only catch unexpected changes, not flawed logic.
Custom Error Classes: Beyond Generic Errors
Create specific error types, like `NotFoundError`, instead of generic ones. This lets your code react differently to different failures, like sending a 404 for a missing user vs. a 500 for a database outage.
The Refresh Token Pattern: Stay Logged In Securely
A refresh token is like a key to a key-making machine; it mints new access tokens without re-prompting the user. This pattern keeps users logged in to web and mobile apps. The footgun: a leaked refresh token can grant an attacker indefinite access.
Passport.js: The Local Strategy for Username/Password Auth
Passport's Local Strategy is the bouncer for traditional username/password logins in Node.js. You provide the logic to verify credentials against your database, and Passport handles the session management.