I am performing a $http.post to my node.js server with the following
$http.post('http://68.xx.xxx.xxx:3000/login', {foo:'foo'});
I assume it is not best practice to have the IP address of my server unprotected like this? Anyone with a browser can easily see the IP address.
What are the security impacts of this?
And what are the best ways to make this more secure?
I guess since they are interacting with the server anyways they could get the IP address through other methods. So I may be overthinking this.
Is this less dangerous than I fear?
There are no direct security implications of using the ip address instead of a domain name, that's because anyone can resolve the ip address from a domain name.
However, you may have problems when you have to move your server to another hosting (since the ip address will be modified and your application may stop working) or if your hosting provider doesn't guarantee that you'll always have the same ip address.
The main risk is that you cannot protect the data in transit with authenticated TLS/SSL - this is because you will not be able to easily buy a trusted certificate for an IP address to enable the use of HTTPS (that is without you being listed as the RIPE registered owner of that IP address).
An eavesdropper or Man-In-The-Middle could intercept or alter credentials in flight if you are using plain HTTP.
You would be better getting a domain name and protecting it with TLS/SSL:
$http.post('https://example.com:3000/login', {foo:'foo'});
As to your other points, it is trivial to get an IP address from a domain name.
>nslookup example.com
Server: UnKnown
Address: 172.16.188.2
Name: example.com.localdomain
Addresses: 93.184.216.34
93.184.216.34
or
$ dig example.com +short
93.184.216.34
For Windows and Mac respectively.