Express Security Best Practices

⏱ Estimated reading time: 3 min

Security is crucial in any web application. Express.js provides flexibility, but that also means developers must proactively implement security measures to protect the application from common attacks and vulnerabilities.

1. Use HTTPS

• Always serve your application over HTTPS instead of HTTP.

• Encrypts data in transit, protecting sensitive information like passwords and tokens.

• Use Let’s Encrypt for free SSL certificates or configure SSL in your hosting environment.

const https = require('https');
const fs = require('fs');
const express = require('express');
const app = express();

const options = {
  key: fs.readFileSync('key.pem'),
  cert: fs.readFileSync('cert.pem')
};

https.createServer(options, app).listen(443, () => {
  console.log('HTTPS Server running');
});

2. Use Helmet for HTTP Headers

• helmet sets secure HTTP headers to protect against common vulnerabilities.

npm install helmet

const helmet = require('helmet');
app.use(helmet());

• Protects against:

  • Clickjacking

  • XSS attacks

  • MIME-type sniffing

  • Content Security Policy

3. Prevent Cross-Site Scripting (XSS)

• Validate and sanitize user input.

• Use template engines safely (like EJS escaping) or libraries like xss-clean.

npm install xss-clean

const xss = require('xss-clean');
app.use(xss());

4. Prevent SQL Injection

• Use parameterized queries or ORM/Query Builders instead of string concatenation.

Example with MySQL2:

db.query('SELECT * FROM users WHERE id = ?', [userId], (err, results) => { ... });

• Avoid: 'SELECT * FROM users WHERE id = ' + userId

5. Rate Limiting

• Protect your server from brute-force attacks by limiting the number of requests per IP.

npm install express-rate-limit

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100 // max requests per window per IP
});

app.use(limiter);

6. Cross-Origin Resource Sharing (CORS)

• Control which domains can access your API using cors:

npm install cors

const cors = require('cors');
app.use(cors({
  origin: 'https://yourfrontend.com'
}));

• Avoid Access-Control-Allow-Origin: * in production.

7. Secure Authentication and JWT

• Use strong password hashing with bcrypt.

• Set JWT expiration and store secrets in environment variables.

• Avoid exposing sensitive data in tokens.

8. Error Handling and Logging

• Avoid exposing stack traces to clients in production.

app.use((err, req, res, next) => {
  res.status(err.status || 500).json({ message: 'Internal Server Error' });
});

• Log errors securely using libraries like winston or morgan.

9. Session Security

• Use express-session with secure settings:

app.use(session({
  secret: process.env.SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
  cookie: { secure: true, httpOnly: true, maxAge: 3600000 }
}));

• secure → Only send cookie over HTTPS

• httpOnly → Prevents JavaScript from accessing cookie

10. Environment Variables

• Never hardcode secrets like API keys, DB passwords, or JWT secrets.

• Use .env files and dotenv to load configuration securely.

11. Regular Updates and Audits

• Keep dependencies up to date using:

npm audit
npm update

• Regularly check for vulnerabilities and apply patches.

Summary Checklist

1. Use HTTPS

2. Set secure HTTP headers (Helmet)

3. Sanitize user input (XSS prevention)

4. Use parameterized queries (SQL injection prevention)

5. Limit request rates (Brute-force protection)

6. Configure CORS carefully

7. Secure authentication and sessions

8. Centralized error handling

9. Keep secrets in environment variables

10. Regularly update dependencies