How to Secure Your Micro / Raw HTTP App with SecureNow — Zero-Framework Node.js Monitoring

Not every Node.js service needs Express, Fastify, or Koa. Sometimes http.createServer and a handful of helper functions are all you need. If that describes your stack, SecureNow fits right in — it instruments the core http module at the runtime level, so there is no middleware to add, no framework plugin to configure, and no code to rewrite.

This guide covers the full path from an empty terminal to a fully monitored raw HTTP server: installing the package, authenticating, creating an app on the free trial, wiring up environment variables, writing a minimal server, and verifying that traces land in the dashboard.

Prerequisites

• Node.js 18+ installed
• A project directory (even an empty one — we will create a server from scratch)
• A terminal and a browser

No SecureNow account yet? The CLI will open a browser-based signup/login flow for you.

Step 1: Install the Package

npm install securenow

That is the only dependency you need. There is no separate framework adapter, no OpenTelemetry boilerplate, and no config file generator. securenow bundles the full OTel SDK, auto-instrumentations, the OTLP exporter, and the CLI.

Step 2: Log In via the CLI

Authenticate with one command:

npx securenow login

A browser tab opens at app.securenow.ai where you can sign up or log in. Once authenticated, the token is saved to ~/.securenow/credentials.json and every subsequent CLI command is authorized.

Prefer a non-interactive flow? Generate a CLI token from your dashboard at Settings → CLI Token, then run:

npx securenow login --token YOUR_TOKEN

Verify you are logged in:

npx securenow whoami

Step 3: Create an Application (Free Trial)

Every monitored service gets a unique app key. Create one from the CLI:

npx securenow apps create my-http-server

Choose Free Trial when prompted — this provisions a managed OTLP collector at https://freetrial.securenow.ai:4318 at no cost and with no credit card.

Output:

✔ Application created

  SECURENOW_APPID=a1b2c3d4-e5f6-7890-abcd-ef1234567890
  SECURENOW_INSTANCE=https://freetrial.securenow.ai:4318

Add these to your .env file.

Optionally set it as your default:

npx securenow config set defaultApp a1b2c3d4-e5f6-7890-abcd-ef1234567890

Step 4: Configure Environment Variables

Create (or update) a .env file in your project root:

SECURENOW_APPID=a1b2c3d4-e5f6-7890-abcd-ef1234567890
SECURENOW_INSTANCE=https://freetrial.securenow.ai:4318
SECURENOW_LOGGING_ENABLED=1
SECURENOW_CAPTURE_BODY=1

Step 5: Instrument Your Raw HTTP Server

Add require('securenow/register') as the very first line of your entry file — before any other require. This is the most important detail: the OTel SDK must load before the http module so it can monkey-patch createServer.

require('securenow/register');
require('securenow/console-instrumentation');

const http = require('http');

function readBody(req) {
  return new Promise((resolve, reject) => {
    const chunks = [];
    req.on('data', (chunk) => chunks.push(chunk));
    req.on('end', () => resolve(Buffer.concat(chunks).toString()));
    req.on('error', reject);
  });
}

function sendJson(res, statusCode, data) {
  res.writeHead(statusCode, { 'Content-Type': 'application/json' });
  res.end(JSON.stringify(data));
}

const server = http.createServer(async (req, res) => {
  const url = new URL(req.url, `http://${req.headers.host}`);

  if (req.method === 'GET' && url.pathname === '/api/health') {
    return sendJson(res, 200, { status: 'ok' });
  }

  if (req.method === 'GET' && url.pathname === '/api/users') {
    console.log('Fetching users', { query: Object.fromEntries(url.searchParams) });
    return sendJson(res, 200, [
      { id: 1, name: 'Alice' },
      { id: 2, name: 'Bob' },
    ]);
  }

  if (req.method === 'POST' && url.pathname === '/api/users') {
    const body = JSON.parse(await readBody(req));
    console.info('Creating user', { email: body.email });
    return sendJson(res, 201, { id: 3, ...body });
  }

  sendJson(res, 404, { error: 'Not found' });
});

const PORT = process.env.PORT || 3000;
server.listen(PORT, () => {
  console.log(`Server running on port ${PORT}`);
});

No middleware, no plugins, no decorators. This is the most minimal setup possible — pure Node.js with zero framework overhead.

Alternative: Zero Code Changes with NODE_OPTIONS

If you prefer not to touch your source files:

NODE_OPTIONS="-r securenow/register -r securenow/console-instrumentation" node app.js

Or add it to package.json:

{
  "scripts": {
    "start": "node app.js",
    "start:observe": "NODE_OPTIONS='-r securenow/register -r securenow/console-instrumentation' node app.js"
  }
}

Step 6: Start and Verify

Run your app:

node app.js

You should see:

[securenow] OTel SDK started → https://freetrial.securenow.ai:4318/v1/traces
[securenow] 📋 Logging: ENABLED → https://freetrial.securenow.ai:4318/v1/logs
[securenow] Console instrumentation installed
Server running on port 3000

Generate some traffic:

curl http://localhost:3000/api/health
curl http://localhost:3000/api/users
curl -X POST http://localhost:3000/api/users -H "Content-Type: application/json" -d '{"name":"Charlie","email":"charlie@example.com"}'

Check your dashboard from the terminal:

npx securenow status

You should see your app listed as protected. Browse traces directly:

npx securenow traces

Or open the full dashboard at app.securenow.ai.

Bonus: Useful CLI Commands

Production Deployment with PM2

For production, use PM2 with an ecosystem config:

// ecosystem.config.js
module.exports = {
  apps: [{
    name: 'my-http-server',
    script: './app.js',
    instances: 4,
    exec_mode: 'cluster',
    node_args: '-r securenow/register -r securenow/console-instrumentation',
    env: {
      SECURENOW_APPID: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
      SECURENOW_INSTANCE: 'https://freetrial.securenow.ai:4318',
      SECURENOW_LOGGING_ENABLED: '1',
      SECURENOW_CAPTURE_BODY: '1',
      SECURENOW_NO_UUID: '1',
      NODE_ENV: 'production',
    }
  }]
};

pm2 start ecosystem.config.js

Setting SECURENOW_NO_UUID=1 ensures all cluster workers report under the same service name.

Docker Deployment

FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
ENV SECURENOW_APPID=my-http-server
ENV SECURENOW_INSTANCE=https://freetrial.securenow.ai:4318
ENV SECURENOW_LOGGING_ENABLED=1
ENV SECURENOW_CAPTURE_BODY=1
ENV NODE_ENV=production
EXPOSE 3000
CMD ["node", "app.js"]

What SecureNow Detects Automatically

Once traces are flowing, SecureNow watches for:

• SQL injection — malicious patterns in query parameters and request bodies
• XSS attempts — script injection in user input
• Credential stuffing — high-velocity failed authentication attempts
• API abuse — unusual request patterns, rate-limit evasion, unauthorized endpoint access
• Anomalous traffic — AI-powered detection of behavioral outliers
• Supply-chain signals — unexpected outbound calls from your service
• Performance degradation — slow queries, high error rates, latency spikes

All of this happens without writing a single detection rule. Security issues surface in the dashboard and can trigger alerts via email, Slack, or custom webhooks.

Recap

No framework, no middleware, no overhead. Your raw HTTP server is now observable and protected.

Next Steps

• Explore the SecureNow dashboard to view traces, logs, and security issues
• Set up alert rules for critical security events
• Run npx securenow forensics to ask natural-language questions about your traffic
• Read the full environment variable reference for advanced tuning

Happy shipping — and happy securing.