Azure SDK for node 0.5.4 is out! More secure and now with less angle brackets

As Yavor said, Azure SDK for node 0.5.4 is out with a bunch of goodies!

Closing a security hole

Recently a vulnerability was detected in node.exe that could theoretically allow an attacker to perform a header-spoofing attack. Version 0.6.17 contains a fix for this attack. We take security very seriously, so we’re releasing this update which includes node 0.6.17 to remove the vulnerability.

Please go download the latest bits to remove this vulnerability!

Less angle brackets, more YAML

iisnode offers some really nice hosting capabilities like spinning up and managing multiple node procs, allowing access to logs over HTTP, providing good debugger errors in the browser for diagnostics and supporting node-inspector for debugging.

To access any of these benefits however you have to travel the sea of angle brackets known as web.config. For .NET / Windows developers, this is the norm. However, we heard a lot of feedback from folks in the node-a-verse, in particular coming from on a Mac / *nix that this feels very strange that they have use web.config in order to config node-specific things in Windows Azure, especially in light of the other offerings out there. Looking around we saw that a common pattern was to use a simple key-value format for specifying similar settings with YAML being a very popular format.


And so our team racked our brains a bit, got a bunch of feedback and iisnode.yml was born and implemented by Tomek! iisnode.yml is an optional file that sits along side web.config. It allows you to set all of our iisnode settings without having to ever touch web.config. Below is a really simple example.

# This is a really simple iisnode.yml file

node_env: development
devErrorsEnabled: true
loggingEnabled: true

The settings set the node_env environment variable to development, enables logging all node.exe output and enables developer errors.

For example, the code below has an error in that it requires a module that does not exist, also it uses spaces in the module name.

var http = require('http');
var notPresent = require('some awesome module');
http.createServer(function (req, res) {
  throw "error";
  res.writeHead(200, {'Content-Type': 'text/plain'});
  res.end('Hello World Again\n');

If I don’t enable devErrors this is what I get when I do a request.

Screen Shot 2012-05-12 at 11.10.45 AM

However, look at what I get when I enable devErrors with logging.

Screen Shot 2012-05-12 at 11.04.40 AM

Above you an see that an error occurred because it could not find my wacky module.

Developer errors is a pretty cool feature that allows iis to output in the response any errors that occurred right in the browser. Combined with logging, it’s really useful for debugging on a remote/staging server.

Of course you don’t want anyone seeing that in your live production site, so you should probably shut that off.


By convention we look for iisnode.yml. If you are not happy with that name however, you can set your own name in the iisnode element of web.config by using the configOverrides property.

<iisnode configOverrides="myfile.yml"/>

Note: configOverrides also allows you to do environment variable expansion. Thus instead of having a static file name you can have a name that includes an environment variable value. More on that in the future.

But wait, don’t I still need a web.config when I publish to Windows Azure?

Great question! Today you still need a web.config though as Tomek said that can be boilerplate and you don’t have to look at it. Tomorrow however…. ;-)

Go get the latest SDK here.

This entry was posted in node.js. Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • Anton UA

    please visit to

  • Manu Temmerman-Uyttenbroeck

    I would like to see something like iisnode.yml for any web.config file where I need to add appSettings :)