Best Security Practices in Express.js – A Beginner's Guide

Govind Tiwari — Mon, 28 Apr 2025 12:20:18 +0000

Hi there! 👋

Welcome to my very first blog post! I'm a developer with about six months of hands-on experience in building web applications, and through this journey, I’ve realized how crucial security is—especially when working with Express.js (fast, unopinionated, minimalist web framework for Node.js), one of the most popular Node.js frameworks.

In this post, I’ll share some of the best security practices I’ve learned (sometimes the hard way!) while working with Express.js. Whether you're just starting out or looking to reinforce your backend with better security habits, I hope this guide helps you build safer and more reliable apps.

Let’s get started!

1. Use Helmet

Helmet is a middleware for Express that improves your app's security by automatically setting helpful HTTP headers. While it's not a complete security solution, it adds a protective layer against several common web threats by configuring headers like X-Content-Type-Options, X-DNS-Prefetch-Control, and more.

const helmet = require('helmet');
const app = require('express')();

app.use(helmet());

2. Implement Rate Limiting

Rate limiting is an effective way to reduce the risk of brute-force attacks by restricting how many requests a user can make over a specific period. In Express.js applications, this can be implemented using the express-rate-limit middleware.

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
});

app.use(limiter);

3. Keep Dependencies Updated

Software vulnerabilities are found frequently, and relying on outdated packages can put your application at risk. To help keep your dependencies secure, make use of tools such as npm audit or Snyk to detect and resolve known security issues.

npm audit fix

4. Sanitize Input

Sanitizing input is a key defense against injection attacks. Always assume user input may be harmful—validate and clean it thoroughly before using it in your application.

const express = require('express');
const app = express();
const { body, validationResult } = require('express-validator');

app.post('/user',
  body('username').isAlphanumeric(),
  body('email').isEmail(),
  (req, res) => {
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
      return res.status(400).json({ errors: errors.array() });
    }

    // Proceed with handling request
});

5. Use HTTPS

Data sent over HTTP isn’t protected, which leaves it open to being intercepted or modified. To secure communication, switch to HTTPS. In Express.js, this can be achieved by integrating Node’s https module with fs to load your SSL/TLS certificates.

const https = require('https');
const fs = require('fs');
const app = require('express')();

const options = {
  key: fs.readFileSync('key.pem'),
  cert: fs.readFileSync('cert.pem')
};

https.createServer(options, app).listen(443);

6. Handle Errors Properly

While Express.js provides built-in error handling, it's a best practice to create custom error handling middleware. This allows for better control over how errors are caught and managed in your application.

app.use((err, req, res, next) => {
  console.error(err.stack);
  res.status(500).send('Something broke!');
});

7. Use Cookies Securely

When using cookies for session management, it's essential to set the secure and httpOnly flags. The secure flag ensures cookies are only sent over HTTPS, while httpOnly prevents client-side scripts from accessing the cookie, safeguarding against potential security threats like XSS.

const session = require('express-session');

app.use(session({
  secret: 'your-secret',
  cookie: {
    secure: true,
    httpOnly: true,
  },
  // other configuration
}));

8. Avoid Revealing Stack Traces

In Express.js, stack traces are exposed to the client by default when an error occurs. To prevent revealing sensitive information, always disable stack traces in production environments by using custom error handling middleware.

if (app.get('env') === 'production') {
  app.use((err, req, res, next) => {
    res.status(500).send('Server Error');
  });
}

9. Secure File Uploads

When handling file uploads, it's crucial to verify the file type, set size limits, and scan for malware to protect your application from potential threats.

const multer = require('multer');
const upload = multer({
  dest: 'uploads/',
  limits: { fileSize: 1000000 },
  fileFilter: (req, file, callback) => {
    if (!file.originalname.match(/\.(jpg|jpeg|png|gif)$/)) {
      return callback(new Error('Only image files are allowed!'), false);
    }
    callback(null, true);
  }
});

10. Authenticate & Authorize

Implementing robust authentication and authorization checks is essential for security. Tools like Passport.js can simplify and strengthen the management of user authentication in your application.

const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;

passport.use(new LocalStrategy((username, password, done) => {
  // Implement your verification logic
}));

By following these best practices, you're not only securing your application but also protecting your users' data and trust. Keep in mind, security is an ongoing process that requires regular code reviews, monitoring, and updates to stay ahead of potential threats. 😉

Forem: Govind Tiwari