[NodeJS]Is my backend code secured?

I'd like to create a simple site on NodeJS. For example, it has two files (app.js - main application file) and router,js (a url file). I'd like to know - if it possibke for anyone just to access mydomain.com/router.js to get the source code of my application? I'm asking 'cause for example in PHP you cant just access to php, as you know server just gives you the result of working of this PHP-file, but not the file itself. So, how to make my nodejs-app invisible for public access? Thanks!

That depends on how you are using Node.js and what you are using for a web server in front of it. Unlike PHP running as CGI or as a module in Apache, node and the node application itself is a server. If you have a webserver with your node source directory exposed then the url you provided in the question will most likely result in your source code being served. Even if you were using Apache and proxying to node, there is usually no output filter involved. Instead requests are passed to the backend node server which interprets them.

I make sure that all files for Node.js are never in a path that is served by another web server such as Apache. That way, there is little danger of the source ever being served by accident.

My node program's and files go in /var/nodejs with a sub-folder for each application in Node. By default of course, Node will not serve ANYTHING unless you tell it to.

At the root of my Apache configuration, I make sure that ALL folders are secured so that I explicitly have to enable serving on any folder structure even under the /var/www folders that I use for all Apache sites.

So you are pretty safe with a default setup of Node and Apache as long as you keep the folders separate. Also Node will not serve source code accidentally, you would have to set up a Node server that read the file as text and wrote it to the http stream.