First and foremost, we need to prevent cross-origin posting of form values unless we are absolutely sure that we have a way to control (or at least know who can do it) the POST. For a start, we can prevent cross-origin posting without permissions.

For instance, here's what we can do to prevent cross-origin posting: we first need to install cookie-session (https://github.com/expressjs/cookie-session) and CSRF (https://github.com/expressjs/csurf) and then apply them in our server.js file.

To install CSRF, simply run the command npm install –g csrf.

The settings of our server.js file now look like this:

var express    = require('express');
var bodyParser = require('body-parser');
var app        = express();
var session    = require('cookie-session');
var csrf    = require('csrf');

app.use(csrf());
app.use(bodyParser());

var port     = process.env.PORT || 8080; // set our port

var mongoose   = require('mongoose');
mongoose.connect('mongodb://127.0.0.1/todos...