Basic defense against similar attacks
First and foremost, we need to prevent cross-origin posting of form values unless we are absolutely sure that we have a way to control (or at least know who can do it) the POST. For a start, we can prevent cross-origin posting without permissions.
For instance, here's what we can do to prevent cross-origin posting: we first need to install cookie-session (https://github.com/expressjs/cookie-session) and CSRF (https://github.com/expressjs/csurf) and then apply them in our server.js file.
To install CSRF, simply run the command npm install –g csrf.
The settings of our server.js file now look like this:
var express = require('express');
var bodyParser = require('body-parser');
var app = express();
var session = require('cookie-session');
var csrf = require('csrf');
app.use(csrf());
app.use(bodyParser());
var port = process.env.PORT || 8080; // set our port
var mongoose = require(...
