Security through obscurity is fine if it's an additional layer in a well thought out security implementation. I've build a bespoke Node.js site/service where I sometimes have to kick out clients due to various reasons. I sometimes fear reprisal and have to consider a targeted attack on my infrastructure. And indeed I do get the occasional hack attempt with for instance hand crafted sql injection attempts (I receive an instant notification when this happens). The best approach in hardening your infrastructure I think is trying to hack your own service by trying a plethora of methods like sql injection attacks or denial of service attacks on your public api's.
