What are security best practices for Express.js APIs?
Answer
Production Express security checklist: Use Helmet for security headers. Validate and sanitize all input with Joi or express-validator. Use parameterized queries — never concatenate user input into SQL or MongoDB queries. Rate limit all endpoints, especially auth. Use HTTPS in production. Store secrets in environment variables, never in code. Use bcrypt for password hashing (min cost factor 12). Set HttpOnly, Secure, SameSite flags on cookies. Prevent mass assignment — explicitly whitelist allowed fields. Implement proper CORS restrictions. Avoid revealing stack traces in error responses. Update dependencies regularly and audit with npm audit. Use express-mongo-sanitize to prevent NoSQL injection.
Previous
How do you implement WebSocket support alongside Express.js?
Next
How does clustering work in Node.js/Express for better performance?
More Express.js Questions
View all →- Advanced How do you implement WebSocket support alongside Express.js?
- Advanced How does clustering work in Node.js/Express for better performance?
- Advanced What is the difference between Express 4.x and Express 5.x?
- Advanced How do you implement a graceful shutdown in Express.js?
- Advanced How do you implement request tracing and correlation IDs in Express?