#1 Data Analytics Program in India
₹2,499₹1,499Enroll Now
5 min read
Question 54 of 62hard

What are security best practices for Node.js?

Securing Node.js applications.

What You'll Learn

  • Common vulnerabilities
  • Security packages
  • Best practices

Security Packages

$ terminalBash
npm install helmet express-validator
code.jsJavaScript
const helmet = require('helmet');
const { body, validationResult } = require('express-validator');

// Security headers
app.use(helmet());

Input Validation

code.jsJavaScript
app.post('/users',
  body('email').isEmail().normalizeEmail(),
  body('password').isLength({ min: 8 }),
  (req, res) => {
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
      return res.status(400).json({ errors: errors.array() });
    }
    // Process valid input
  }
);

Prevent SQL/NoSQL Injection

code.jsJavaScript
// ❌ Vulnerable
db.query(`SELECT * FROM users WHERE id = ${userId}`);

// ✅ Safe: parameterized query
db.query('SELECT * FROM users WHERE id = ?', [userId]);

// MongoDB: sanitize input
const mongoSanitize = require('express-mongo-sanitize');
app.use(mongoSanitize());

Other Best Practices

code.jsJavaScript
// Rate limiting
const rateLimit = require('express-rate-limit');
app.use(rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }));

// HTTPS only
app.use((req, res, next) => {
  if (!req.secure) return res.redirect('https://' + req.headers.host + req.url);
  next();
});

// Hide stack traces in production
app.use((err, req, res, next) => {
  res.status(500).json({
    error: process.env.NODE_ENV === 'production'
      ? 'Server error'
      : err.message
  });
});

// Use npm audit
// npm audit
// npm audit fix
Previous
How to detect and fix memory leaks in Node.js?
Next
How to build a GraphQL API in Node.js?