Is there possibility of "Direct browsing of a resource" attack in node js applications and how can I prevent it?
EDIT: I use express framework
Node.js http servers do not serve any static content, they only call your code. If there is any possibility for an attack it would be in your code, not in Node.js core or in the http module.
Regarding your edit: Express provides a static middleware, which could open a possibility for a direct browsing attack, if you configure it to serve static files from a directory that contains sensitive resources. If you keep a dedicated directory for your static content, all of which is safe to be browsed directly, and there is no sensitive content below that directory, you'll be safe if you serve it with Express' static middleware.