How to Deploy a Node.js Application to Production

Set the NODE_ENV environment variable to 'production'. This signals libraries like Express to enable performance optimizations and disable development features like detailed error messages. Run npm install with the --production flag to skip devDependencies. Ensure all secrets are in environment variables and no sensitive data is in the codebase or committed to version control.

Node.js applications crash when an uncaught exception occurs. PM2 is a production process manager that automatically restarts your application when it crashes. Install PM2 globally and start your application with pm2 start. Configure an ecosystem.config.js file to define the application name, entry point, number of instances, and environment variables. Use pm2 startup to make PM2 start automatically when the server reboots.

A single Node.js process uses only one CPU core. On a multi-core server, most of the CPU is unused. Configure PM2 to run your application in cluster mode by setting instances to the string 'max' in your ecosystem file. PM2 spawns one worker process per CPU core and load balances incoming requests across them, multiplying your server's throughput proportionally to the number of cores.

Run Nginx in front of your Node.js application. Nginx handles HTTPS termination, serves static files directly without involving Node, compresses responses with gzip, and can rate limit connections at the network level. Configure Nginx to proxy requests to your Node.js application running on localhost at its port. This setup is more secure and performant than exposing Node.js directly to the internet.

All production traffic must be encrypted with HTTPS. Use Certbot with Let's Encrypt to obtain free SSL certificates for your domain. Certbot automatically configures Nginx to use the certificates and sets up automatic renewal before they expire every 90 days. Configure Nginx to redirect all HTTP traffic to HTTPS so users are always on the secure connection.

On your production server, set environment variables through your hosting platform's interface, through systemd service files, or through PM2's ecosystem configuration with environment-specific env blocks. Never commit a .env file containing production secrets to version control. For highly sensitive secrets like database passwords and API keys, use a secrets management service like AWS Secrets Manager or HashiCorp Vault.

Create a GET endpoint at a path like /health that returns a 200 status when the application is running correctly. Include checks for database connectivity and any other critical dependencies. Configure your load balancer or container orchestration platform to periodically call this endpoint. If the health check fails, traffic is automatically routed away from the unhealthy instance and it is restarted.

Set up application performance monitoring using a service like New Relic, Datadog, or Sentry. These tools track response times, error rates, database query performance, and memory usage over time. Configure alerts to notify your team when error rates spike, response times degrade, or memory usage climbs toward the server's limit. Proactive monitoring allows you to identify and resolve issues before users are significantly impacted.