Should I open port 3000 in the EC2 security group?
No. Never expose the Node.js port (3000) directly to the internet. All traffic should go through Nginx on port 80/443, which proxies to localhost:3000. Only ports 22 (SSH from your IP), 80, and 443 should be open.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in AWS EC2 Security Best Practices Hardening Your Node.js Server
Use key-based authentication only (disable PasswordAuthentication in sshd_config), restrict SSH to your IP in the security group, disable root login (PermitRootLogin no), and use the ubuntu user with sudo for privileged commands. Never run Node.js as root.
X-Frame-Options (SAMEORIGIN, prevents clickjacking), X-Content-Type-Options (nosniff, prevents MIME sniffing), X-XSS-Protection, Referrer-Policy, Content-Security-Policy, and Strict-Transport-Security (HSTS) for HTTPS-only.
Install unattended-upgrades (sudo apt install unattended-upgrades) and configure it with sudo dpkg-reconfigure -plow unattended-upgrades. This automatically installs security updates as they become available.
Still have questions?
Browse all our FAQs or reach out to our support team
