I agree with anm and schaermu about using a reverse proxy so that your application is not directly accessed by your visitors, even if that really has more to do with stability than security.
I want to add that you also have to think about safely installing the Node itself and its modules. In particular, never install npm using this method:
curl http://npmjs.org/install.sh | sudo sh
This is basically giving root shell to anything that you get from the network using insecure HTTP with no verification at all, not even knowing who are you talking to. This can lead to a serious compromise of your entire system using very basic and widely known methods, and if your system is compromised then it doesn’t matter if your application is behind a reverse proxy, firewall or anything. See this answer for a more comprehensive explanation.