If you're thinking of using node on the same server geth is located on, it's probably safer to use the IPC pipe. You can configure your geth node to start as a service, owned by a service user--and then set permissions on the IPC pipe created to only allow access to users in the same group (or to just that user). If your node script is run as the same user or as a user that's part of one of the geth user's groups, you can restrict access to that user/group.

For example, if you configure geth to have a data directory at /var/lib/geth , the pipe will be located at /var/lib/geth/geth.ipc by default (I think, the naming might be different). If you change the permissions on /var/lib/geth to 760 ( u+rwx, g+rw ), you can restrict access to the chain data, the ipc pipe, and the keyfiles created by geth to only the geth user or its group.

Permissions can be more finely tuned from there, if you so desire.