PM2: The Process Manager for Production Node.js
PM2 is a process manager that keeps your Node.js apps online. Use it to automatically restart crashed apps, run them in the background, and scale across CPU cores. The footgun is forgetting to run `pm2 save` to make your process list survive server reboots.
Sticky Sessions: Pinning a User to a Server
Sticky sessions pin a user's requests to a single server in a multi-server setup. This is crucial for stateful apps like Socket.IO, where a user's session lives on one machine.
Socket.IO Adapters: Scaling Beyond One Server
Socket.IO adapters let you scale beyond one server. They use a backend like Redis Pub/Sub to broadcast messages across all your instances, so a user on Server A gets events from Server B. The footgun is assuming this handles everything; you still need a load.
Socket.IO Namespaces: Channels on One Connection
Socket.IO namespaces are virtual channels over a single WebSocket connection, letting you split app logic without multiple connections. Use them for separate areas like `/admin` or for multi-tenancy.
Server-Sent Events (SSE): One-Way Data Push from Server
Server-Sent Events (SSE) push data from server to client over one HTTP connection. It's a simpler, one-way alternative to WebSockets for things like live news feeds or status updates.
Socket.IO Rooms: Broadcasting to Subsets of Clients
Think of Socket.IO Rooms as server-side channels for grouping clients. They let you broadcast messages to a specific subset, like a private chat or users following a topic. Remember rooms are a server-only concept; a client can't see which rooms it has joined.
Socket.IO: Broadcasting Events to Clients
Broadcasting sends a server-side event to multiple clients at once, like a public announcement system. Use it for live notifications or game state updates. The footgun: by default, it only reaches clients on the same server; use an adapter for multi-server…
Socket.IO: More Than Just WebSockets
Socket.IO is a library that guarantees real-time, bidirectional communication. It automatically picks the best transport—WebSocket or HTTP long-polling—to ensure your connection works. Use it for chat apps or live dashboards.
SharedArrayBuffer: True Shared Memory for JS Threads
SharedArrayBuffer is a shared whiteboard for JS threads, letting them access the same memory without slow data copies. It's used for high-performance parallel tasks. The footgun: without `Atomics` to coordinate, you'll get race conditions and corrupted data.
HSTS: Forcing Future Connections to Use HTTPS
HSTS is a response header that tells browsers to only use HTTPS for your site, automatically upgrading future HTTP requests. This prevents SSL stripping attacks.
Content Security Policy (CSP): An Allowlist for Browser Resources
Content Security Policy is an allowlist you send to the browser, dictating which scripts, styles, and images are safe to load. It's a primary defense against XSS attacks by blocking unauthorized resources.
Jest: A Batteries-Included JavaScript Test Framework
Jest is a 'batteries-included' JavaScript test framework, bundling a runner, assertions, and mocks for a zero-config experience. It's a go-to for testing Node, React, and TypeScript apps. Footgun: Snapshot tests only catch unexpected changes, not flawed logic.
Custom Error Classes: Beyond Generic Errors
Create specific error types, like `NotFoundError`, instead of generic ones. This lets your code react differently to different failures, like sending a 404 for a missing user vs. a 500 for a database outage.
The Refresh Token Pattern: Stay Logged In Securely
A refresh token is like a key to a key-making machine; it mints new access tokens without re-prompting the user. This pattern keeps users logged in to web and mobile apps. The footgun: a leaked refresh token can grant an attacker indefinite access.
Passport.js: The Local Strategy for Username/Password Auth
Passport's Local Strategy is the bouncer for traditional username/password logins in Node.js. You provide the logic to verify credentials against your database, and Passport handles the session management.
Mongoose Population: Linking Documents Across Collections
Mongoose's `populate()` acts like a client-side JOIN, replacing document IDs with actual documents from other collections. It's ideal for linking related data, like a blog post's author.
Mongoose Validation: Your Schema's Built-in Guard
Mongoose validation is a guard at the application layer, ensuring data conforms to schema rules before hitting the database. Use it for required fields, lengths, and ranges. The `unique` option is for database indexes, not a Mongoose validation rule.
Mongoose Middleware (Hooks): Intercepting Database Operations
Mongoose middleware (hooks) lets you intercept database operations. Think of them as "before" or "after" scripts for actions like `save` or `find`. Use them to hash passwords before saving a user.
Idempotency in REST APIs: Safe to Retry?
An idempotent API request means sending it once or 100 times has the same effect on the server's state. GET, PUT, and DELETE are idempotent, making them safe to retry. POST is not, so retrying can create duplicates.
API Pagination: Serving Big Datasets in Chunks
API pagination breaks large result sets into smaller chunks to prevent server overload. It's essential for any endpoint returning many records, like a list of users or products.