The configuration file (nodejs.config.js w/ secret key) should be protected from public access.

Maybe all SSJS could be moved to a separate directory (server/?) - that directory then again could/should be moved of the webroot as starting one webserver [nodejs] from within the webroot of another [Apache] feels kind of weird to me :)

Sample .htaccess

# Deny every js by default
<Files *.js>
  deny from all
</Files>
# But allow nodejs.js
<Files nodejs.js>
  allow from all
</Files>