Skip to content

node_00 - Node.js HOME

Node is not a language , it's a runtime
V8 engine stripped of the browser chrome , glued to libuv for 01_async I/O , wrapped in a C++ layer that gives JavaScript filesystem access and network sockets and process control. That's it. That's Node. Ryan Dahl built it in 2009 because he wanted to push real-time updates to a 04_web server without Apache threads eating all the RAM , and somehow that evolved into 70% of backend APIs running JS in places nobody expected a browser language to survive

what's in here

This section covers Node.js end-to-end 13 categories , 80 files , from "what's a runtime" to "deploy to production". w3schools curriculum but with the 0x1RIS treatment - dry humor , 05_security focus , and zero hand-holding. Every file builds on the last within each category so start at the beginning of each group unless you already know what you're doing

Introduction (9 files)

Start here. What Node is , how to install it , how V8 and libuv make it work , and the event loop that runs everything Files: node_00 through node_08

Async Programming (4 files)

Callbacks , promises , 01_async/await , and error handling in 01_async code Files: 01_async_01 through 01_async_04

Module System (7 files)

CommonJS , ES 02_modules , npm , package.json , scripts , dependency management , publishing packages Files: mod_01 through mod_07

Core Modules (11 files)

fs , path , os , events , buffers , streams , zlib , net , dns , util , url - the built-in 02_modules you'll use every day Files: core_01 through core_11

Web Development (9 files)

HTTP server , HTTPS , routing , middleware , sessions , templating , static files , REST APIs , WebSockets Files: 04_web_01 through 04_web_09

Security (9 files)

OWASP Top 10 in Node context , crypto , input validation , authentication , Helmet.js , rate limiting , dependency auditing , secure config , logging Files: sec_01 through sec_09

Testing (6 files)

Testing fundamentals , Jest , mocking , integration tests , debugging , E2E 06_testing Files: test_01 through test_06

Performance (3 files)

Profiling , clustering for multi-core , load 06_testing Files: perf_01 through perf_03

Databases (6 files)

Connecting to 08_databases , SQL , NoSQL , ORMs and query builders , Redis , migrations Files: db_01 through db_06

Deployment (5 files)

Environment setup , PM2 process manager , CI/CD pipelines , 02_reverse proxy with nginx , monitoring and logging Files: deploy_01 through deploy_05

Advanced Topics (6 files)

Child processes , worker threads , native addons (N-API) , service workers , CLI apps , 10_advanced stream patterns Files: adv_01 through adv_06

Reference (3 files)

EventEmitter API 11_reference , built-in module quick 11_reference , resources and next steps Files: ref_01 through ref_03

05_security angle

Node's attack surface is fundamentally different from browser JS
In a browser , JavaScript runs in a sandboxed environment with no filesystem access , no raw network sockets , and no process control. A DOM-based XSS can steal cookies but it can't read /etc/passwd. Node removes every one of those restrictions - the same fetch() that hits an API in the browser can now read your internal network. The same eval() that was dangerous in the browser is now a full RCE vector

// Browser JS - annoying but contained
// document.cookie is the worst that happens

// Node.js - this is production-destroying
const userInput = req.body.code
eval(userInput) // RCE with filesystem, network, process access

Every category in this section has its own 05_security angle because that's the whole point of this blog

attack surface overview

When you run Node in production , these are the things that will burn you if you don't understand them:

  • Event loop starvation - one CPU-heavy endpoint blocks all other requests
  • Module caching - secrets loaded at startup stay in memory for the process lifetime
  • global namespace - any dependency can read anything you put there
  • Prototype pollution - JSON parsing can inject properties into Object.prototype
  • Supply chain - every npm install pulls unknown code into your runtime
  • Unvalidated input - same problem as every other backend , but JS coercion makes it worse
  • No sandbox - vm module is not a 05_security boundary , despite the name

prerequisites

none - just show up with a terminal and willingness to learn

how this section is organized

Each file within a category builds on the one before it Start at the beginning of whatever category interests you. Every file ends with a "next ->" link pointing to the next file in that category. Code examples assume you've read previous concepts in the same group. You can jump between categories freely since each group is self-contained

The format stays consistent: explanation first , code example second , 05_security angle third. Tone stays dry and direct - no hand-holding , no motivational quotes , just working knowledge that translates to real servers

next -> node_01_intro