Best Practices for Building Scalable Realtime Apps

9 min read Michael Carroll on Nov 17, 2023
Best Practices for Building Scalable Realtime Apps with PubNub & Socket.IO - Blog.jpg

Best Practices for Building Scalable Realtime Apps with PubNub and Socket.IO

In Parts I and II of this Socket.IO blog series, we introduced you to the pros and cons of building realtime apps with Socket.IO and took you through the architectural patterns and considerations.

In this final post, we wrap up by giving you the ins and outs of building realtime apps with PubNub and Socket.IO.

To get the best out of your applications, make sure to manage the following:

Connection optimization

Whenever you send or receive a message from the backend, you’ll expend resources to open, maintain, and close connections to the database. Your application’s performance may deteriorate because of the large overhead. Connection pooling uses a reusable database connection cache to store data. Using cache data, applications can scale efficiently to manage increases in server requests instead of opening and closing connections every time. Connection pooling consists of two types of connections:

  • Active connections that the application is using

  • Idle connections that the application has available for use

When a new request comes in, the pool manager will look for any idle connections to handle the request. If all connections are active, it will add a new connection to the pool. If the pool is at its maximum capacity, the new requests will be queued until a connection becomes available.

State management

An application’s “state” is how it tracks and handles system information at any time. Ensuring an application functions correctly and provides a seamless user experience is essential. Poor state management can hinder application scaling because data may be scattered or not properly synchronized. This means introducing new updates or features will become more difficult. Using a stateless architecture can circumvent this issue. That’s because the state of older transactions isn’t stored on the server side or referenced in subsequent transactions. Instead, this architecture stores data on the client side while sending “reminders” to the server about previous steps and additional information. Designing and implementing stateless architecture is relatively straightforward. Still, a few things to remember to ensure it functions optimally:

  • If the workload increases exponentially, share the load evenly among the servers. You can do this using a load balancer.

  • Session-related bugs are hard to fix, as cookies and other session data are stored on the server. Try to avoid sessions as much as possible.

Scalable databases

Every application backend is connected to a database to manage user data. But your database has limits, and as your application becomes more popular, ensure your database can also handle the increased workload effectively and cost-effectively. Consider opting for database applications with automated scaling capabilities like MongoDB and Cassandra to scale effortlessly. They can automatically adjust their capacity to handle sudden workload spikes, making them very useful in large-scale applications.

Handling real-time traffic spikes

Traffic spikes are increases in workload significantly more than the application’s average. You may experience spikes in various forms, including:

  • Database load spikes

  • Concurrent user increases

  • Database storage limitations

  • Multiple HTTP requests

  • Cache overload

Though you can’t avoid traffic spikes, you can prepare your application to handle them.

STEP 1: Define your capacity

Understanding your application’s load limits ensures you always deliver the best user experience. You can measure your load limit by establishing two baselines:

  • The maximum load your application can realistically handle without compromising performance.

  • The average load your system can handle under normal conditions.

Methods like load testing and analyzing historical data can help you establish the application’s capacity by measuring key performance indicators (KPIs) like response time, throughput, error rate, and availability.

STEP 2: Forecast your demand

Estimating how much load your system will have to manage over time will help you plan your scaling strategy and prepare for any unexpected scenarios. Using data on seasonal trends, company plans, and user behavior, you can create forecasting models and scenario planning to predict future application workloads.

STEP 3: Plan your resources

Once you’ve established your baseline and predicted workloads, the next step is to assess if your hardware, software, and supporting network components can handle the workload increase. You can allocate resources effectively using capacity planning models and simulations. They will also help predict future costs, performance issues, and the security risks associated with scaling your application.

STEP 4: Monitor your system

Despite in-depth planning and flawless execution, there is always a chance of problems when dealing with unregulated traffic spikes. Continuous monitoring is the best way to detect any anomalies affecting your system. You can monitor your system performance by analyzing system logs, setting alerts, and creating dashboards to identify and troubleshoot any unexpected behavior.

Real-world use cases: How SaaS companies use PubNub with connections to prevent account sharing

Subscription-based SaaS companies, like Netflix and Amazon Prime, regularly deal with the problem of account sharing, where multiple users use the same account. To tackle this, SaaS companies look for a security pattern that allows only one connection per authenticated user while using a network like SocketIO for NodeJS. PubNub’s Edge Messaging Network uses one of two methods to prevent multiple logins on one account:

  1. Force Remote WebSocket Logout: To revoke previous login permissions when a new user logs in.

  2. Block Access While WebSocket Subscription in Use: To prevent new logins when a user is already logged in.

PubNub has the core services to build a reliable geo-redundant signaling solution for WebSockets, XMPP, BOSH, Comet, HTTP long-polling, etc. It is compatible with all programming languages, including Android Java, iOS Objective-C, and JavaScript Web/Mobile.

Monitoring and optimizing performance in scalable real-time applications

Performance and network security are essential for delivering phenomenal user experiences. Realtime applications must regularly track the application’s health using real-time monitoring tools, which track and record data on KPIs like:

  • Bandwidth usage

  • Latency

  • Error states

  • Server response time

  • CPU usage

  • Network traffic volume

These tools use devices like sensors, probes, monitoring servers, and cloud-based monitoring platforms to track these metrics effectively. The aggregated data is usually presented in customizable analytics dashboards for easy comprehension and troubleshooting. You can also integrate with existing diagnostics and incident management systems for a more holistic understanding. Every metric being tracked has a predefined threshold that, if exceeded, will trigger a warning or alert in the system. This warning signal lets you know of imminent failure so you can take preventive measures before your system fails. Development teams should continuously monitor the effectiveness and efficiency of their real-time monitoring strategy, regularly reviewing monitoring parameters, alerting thresholds, and responses.

Security considerations in scalable real-time applications

Sharing data in real time between two or more devices opens up a can of security threats. The more aware development teams and organizations are of these threats, the better their chances of avoiding security incidents. Here are a few common security threats for real-time applications:

Cross-site scripting attacks

Cross-site scripting (XSS) attacks hack into privileged accounts by forging cookies to imitate valid users. Once logged in, malicious actors can use the accounts to alter content and perform other actions. There are three types of XSS attacks:

  • Reflected attacks that use dummy links and sites to send malicious scripts to the victim’s browser

  • Document Object Model-based attacks that inject malicious payloads into a webpage by manipulating the client’s browser

  • Stored XSS attacks that use unsanitized user inputs to target scripts permanently stored on target servers

Buffer overflow attacks

In development, a buffer is a region that temporarily holds data being moved from one place to another. A buffer overflow attack exploits vulnerabilities when more data is added than it can hold, allowing attackers to crash, control, or modify the system. In-house applications are the most vulnerable to buffer overflows. Most commercial applications have identified and released patches to mitigate buffer vulnerabilities.

Broken access control vulnerabilities

Access control is a security protocol that decides which users can access certain resources in a system. Without efficient access control, malicious users can masquerade as valid users to infiltrate the system. You can protect your system by introducing principles of least privilege and role-based access control. These limit user access rights to the bare minimum necessary for job function.

Best practices for securing your application at scale is vulnerable to external attacks. To get the most out of, take steps to avoid common pitfalls and errors.

Use middleware offers middlewares that can perform various functions to protect your data from malicious attacks. Middleware functions can be used for:

Avoid tunneling uses tunneling to route HTTP/HTTPS requests from a public server to your local server. However, using public networks with opens up your application to malicious attacks. Avoid public networks whenever possible. Instead, use other secure and verified protocols.

Use SSL/TLS encryption

Secure Sockets Layer (SSL) is a standard protocol to create secure connections between two devices or applications in a network. It prevents hackers from stealing personal and financial data. Transport Layer Security (TLS) is a more advanced version of SSL. It supports encrypted communication channels that address SSL vulnerabilities. TLS allows for more efficient authentication, faster handshakes, additional support messages, and more advanced message authentication.

How and PubNub are evolving to meet future scalability needs alone is great for establishing real-time data streaming connections for Node.js. But when used with PubNub, can enhance connections using other real-time features like:

Data streaming

Achieve publication and subscription to real-time data streams in less than one-tenth of a second.


Determine who is present by actively monitoring and detecting the connection status of users and devices.

Storage and playback

Effectively store, retrieve, and replay messages in realtime in the order that they occurred.


Visualize and oversee real-time traffic and usage for comprehensive insights.

Cross platform

Serialize and deserialize intricate objects automatically, even when working across diverse programming languages and platforms.

Security and access management

Enhance security with AES data encryption and implement a robust grant/revoke framework to ensure only authorized users can subscribe to real-time data streams.

Case studies: Augmenting applications with PubNub

Case Study 1: How uses PubNub functions to power its global IoR network is a platform offering Internet of Recognition (IoR) solutions. Initially, they relied on Google’s Firebase and socket development tools like for data integration. However, building the real-time network infrastructure to scale their systems was extremely complex and expensive. Eventually, the team decided to go with PubNub, as it offered 50+ software development kits (SDK) provisioning access keys, channels, and functions to transmit IoR analytics events to customer dashboards in realtime. With PubNub, significantly accelerated development cycles, often achieving production-ready solutions in less than a week. PubNub also offered other clear advantages:

  1. Integrated within server nodes to enable real-time voice data conveyance with minimal latency

  2. Powered real-time responses to voice requests for’s voice recognition service, Galaxy

  3. Integrated data seamlessly with enterprise platforms like Microsoft Azure Hub and IBM’s Bluemix

PubNub allowed to stay laser-focused on its customers’ needs by maintaining its real- time infrastructure, making it an invaluable component of its IoR platform.

Case Study 2: Disprz uses PubNub to empower a more knowledgeable workforce

Disprz is an employee development and engagement platform with a mission to enhance sales and customer service through personalized and gamified knowledge delivery. Disprz initially built the platform in-house using and other open-source components but soon faced scalability and performance challenges as they introduced new features like group chat rooms, send messages, and a collaborative whiteboard. PubNub allowed Disprz to deliver these real-time services on top of protocols. The company transitioned from the in-house stack to PubNub services seamlessly, thanks to PubNub’s excellent documentation and responsive customer support. Since adopting PubNub, Disprz has achieved its scalability goals without compromising performance, even as its user base grows by 30% quarter over quarter. Looking ahead, Disprz is poised for international expansion, targeting the U.S. market while continuing to grow its real-time user base in India. PubNub’s global redundancy, featuring 15 points of presence worldwide, positions PubNub as a crucial partner to support Disprz’s ambitious growth plans.

The future of scalable real-time applications

Users expect real-time interactions, and developers are rushing to meet this demand, driving innovation in the real-time application space. Keeping up with the latest trends is the best way to provide users with the best user experience.

Case-specific databases

Previously, all data, regardless of type or use case, was stored in a single data store. This was inefficient and dev teams moved to customized database applications that enable specific use cases. This approach turned out to be more effective, flexible, and future-proof. Moreover, it complied with data governance and compliance standards.

Low- or no-code platforms

Low-code or no-code platforms are the latest trend in application development. They enable even non-technical users to develop applications without any prior development experience. They also allow organizations to create and deploy useful applications quickly and easily. However, you may need to compromise on flexibility since you’re limited by the capabilities of the application itself.

Enforcement of data governance policies

With easier access to data, governments and consumers are concerned with how organizations use and safeguard data. Ensuring compliance with data governance policies is critical for organizations to continue their data streaming operations.

Scaling your real-time applications

The importance of scalability in real-time applications cannot be overstated. It allows applications to adapt to changing workloads while delivering high-quality user experiences cost-effectively. However, scalable real-time applications introduce development and workflow complexities. Dev teams will find overcoming these complexities worthwhile, considering scalability’s numerous performance and user experience benefits.

PubNub’s integration with enhances real-time concurrent connections by providing features like rapid data streaming, presence monitoring, storage and playback, analytics, cross-platform compatibility, and robust security and access management.

Reach out to us to learn more about how PubNub can take your real-time application to the next level. Or start your free trial to see the magic yourself.