Node.js Express Hidden Service: Build and Deploy Guide

Install Helmet.js for security headers: npm install helmet; app.use(helmet()). Helmet sets: X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-XSS-Protection: 0 (disabled in modern browsers per OWASP), Strict-Transport-Security (applicable even for .onion over HTTPS), Content-Security-Policy (configure for your specific app). Rate limiting: npm install express-rate-limit. For hidden services, IP-based limiting is ineffective (all clients appear from 127.0.0.1). Use token-based or session-based rate limiting. CORS: configure to allow only your .onion origin: app.use(cors({ origin: 'http://YOURONIONADDRESS.onion' })). Input sanitization: npm install express-validator for request validation and sanitization.

PM2 manages Node.js processes in production: npm install -g pm2. Create ecosystem.config.js: module.exports = { apps: [{ name: 'hidden-service', script: './src/index.js', instances: 2, exec_mode: 'cluster', env: { NODE_ENV: 'production', PORT: 3000 }, max_memory_restart: '500M' }] }. Start: pm2 start ecosystem.config.js. PM2 cluster mode runs multiple Node.js processes sharing the port (better CPU utilization on multi-core servers). Enable PM2 startup: pm2 startup systemd; pm2 save (ensures PM2 and applications restart on server reboot). Monitor: pm2 monit (real-time monitoring), pm2 logs (log output), pm2 status (process status).

Prisma provides type-safe database access for Node.js hidden services. Setup: npm install @prisma/client; npx prisma init. Configure .env with DATABASE_URL pointing to localhost PostgreSQL: DATABASE_URL='postgresql://hsuser:password@localhost:5432/hiddendb'. Define schema in prisma/schema.prisma. Generate client: npx prisma generate. Migrations: npx prisma migrate deploy. Security: store DATABASE_URL in environment variables, never in code. Use Prisma's parameterized queries (all ORM queries are parameterized by default). Connection pooling: PgBouncer as connection pooler for PostgreSQL reduces connection overhead for multiple PM2 workers.

Nginx configuration for Node.js with PM2: upstream hidden_nodejs { server 127.0.0.1:3000; keepalive 64; }. Server block: listen 127.0.0.1:80; server_name _; location / { proxy_pass http://hidden_nodejs; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_cache_bypass $http_upgrade; proxy_read_timeout 300s; }. Security: add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; server_tokens off. For Unix socket (better performance): change upstream to: server unix:/run/pm2/hidden-service.sock; and configure PM2 to listen on Unix socket.

JWT (JSON Web Tokens) for stateless authentication in Node.js hidden services: npm install jsonwebtoken bcryptjs. Token generation: const token = jwt.sign({ userId: user.id }, process.env.JWT_SECRET, { expiresIn: '24h' }). Verification middleware: verify token on protected routes; extract userId from payload. Security requirements: JWT_SECRET must be a cryptographically random string (at least 256 bits): openssl rand -base64 32. Store JWT_SECRET in environment variables, not in code. Use RS256 (RSA asymmetric) instead of HS256 for distributed verification scenarios. Refresh token pattern: short-lived access tokens (15 minutes) + longer-lived refresh tokens (30 days) stored in HttpOnly cookies reduces exposure if access tokens leak.