Why I created a NodeBB "forum" in 2019

Some of the very younger audience may not remember, but most of us can probably remember the good ole' myBB, phpBB, that perl-based cgi forum, and good ole' gold standard vBulletin back in the day...

Forums, or "message boards" as they were called - were a popular pre-social-media means of communication - and for good reason too.

In a current state of Slacks, Discords, Gitters, and social media websites, I decided to create a good old fashioned forum for discussion of software application security tools, techniques, and processes.

Let's examine some of the strengths that a discussion forum, message board, or bulletin board has over a chat room:

Better organization of subject

There are many strengths to chat rooms like Slack and Discord, but unfortunately, organization of subjects is not one of them. On a message board, a user selects a general subject and is then presented with an index of discussions which are centered around a topic/thread title.

Contrast this with a chat channel - Although a channel may be called "game-dev" for example, there are literally hundreds of thousands of subtopics within game-dev that could be being discussed in the chat room at any given moment, and someone who was out of the chat for a day or two could have missed some amazing content that they would then have to sift through amidst the occasional irrelevant banter. We've all been there.

Higher quality content

In my experience, chat rooms tend to have lower quality content for several reasons:

  1. There's an inherent "rush" feeling since the chat is happening in real-time, you wait for a good moment to switch subjects, but if you're too slow, someone else may start up a new subject first and you could risk an awkward conversation or interrupting.

  2. Since it's real-time, mistakes are less scrutinized in a chat message than in an email or forum post, and more abbreviations/slang tend to be used. It's like a more casual conversation versus a formal email.

  3. There is just something about writing a "post" which demands more work than a "chat message" in many cases. We see another increase in quality when we go from a forum post to a blog, or a blog to a book. Typically, book content quality is more highly scrutinized by field experts, editors, and the publisher compared with a blog. In a similar, but less formal vein, forum posts tend to be more scrutinized than chat messages and incorrect information will often be called out in replies. My speculation here is that more eyes have the chance to see and understand the forum post, whereas a chat message scrolls up into oblivion and maybe only 3 of 150 pairs of eyes actually saw it.

NodeBB Offers modern, robust features

One of the issues with older message boards compared with the modern style of web apps is that they were not "single page applications" but rather , a series of loaded pages, which has the effect of an older feel on the user, and also the user waits for refreshes and crosses their fingers that their long post actually got submitted, etc... They are also restricted to email-style DMs and outdated feel all-around.

NodeBB addresses all of these issues - it relies on web sockets for most data transmission, supports actual chat rooms, DMs, AND message board posts, and it also supports markdown, has instant preview of messages side-by-side, supports a rich reply-to function which allows quoting specific user text vs just @mentioning the user, etc... Due to the socket connection, the message board is also extremely fast with very little perceived latency on the user's end.

Another reason I chose NodeBB was because, I wanted to use Node.js on my backend. More specifically, I did not want to use PHP for several reasons - I am more familiar with Javascript and Node.js. I used to code in PHP back in PHP 3 days but frankly, it would be a liability with my limited modern PHP knowledge, for me to be maintaining a PHP website. I can't speak to modern PHP, but I also know that Node.js applications tend to be relatively secure as long as dependencies are properly scanned and updated too.

I also wanted to use a NoSQL database, and Node.js plays well with MongoDB.

To be honest, I didn't always like to reach for Node, but I felt like this would be a great project to reach for Node on.

Lastly, it probably goes without saying, but NodeBB is responsive across various devices.


Let's talk about some of the challenges in setting up a NodeBB. For most web developers, it may not be the easiest process, but it's doable. However, for people who are not developers or sysadmins, setting this thing up can be a real PITA. That's because it requires specific versions of Node.js, MongoDB, and the forum software. Additionally, properly configuring a virtual private server manually can be challenging to do properly and inexperienced admins may leave their site open to serious security risks. I spent about 48 hours initially configuring my server for this board because, being a security forum, I wanted to properly secure the OS, firewall, SSH, etc...

For the above reasons, NodeBB offers a cloud service which handles all of that, but the cloud service is a bit pricey - starting at $250-$750/month. I chose the manual route, being a software professional, but it's nice to have that option I suppose.


My new application security forum

NodeBB software

Emil Moe's photo

For someone who used to be an administrator of several very popular vBulletin boards, I can say that was a pain in the black spot to set permissions to users but also to develop extensions as they were often written in primitive text boxes in the admin UI 😂

Marco Alka's photo

Any reason why you decided against Discourse? To me, it seems like the more modern forum, or at least with a better UX... Except that it's Ruby+Postgres instead of NodeJS+Mongo, of course 😉

Todd's photo

Software Security TechLead

Yes, mostly due to personal experience (I had used NodeBB but not Discourse as much) AND as you stated, the tech stack... I'm not that familiar with Ruby compared to Node and JavaScript, and as I'm the sole maintainer of the site and I do this in my spare time, that plays a significant role.