Express.js Security Checklist for Production

We have all been there. The features work, the unit tests are green, and the product manager is asking for the deployment URL. The temptation to just run npm start and walk away is massive.

But the internet is hostile. Deploying a raw Express application is like leaving your front door wide open; you might be safe for a few hours, but eventually, someone is going to walk in and take the TV.

I have compiled the "save-your-bacon" checklist I use before any Node.js API hits production. No fluff, just the hardening steps that stop 99% of automated attacks.

1. The Low-Hanging Fruit: Helmet

If you do nothing else, do this. By default, Express broadcasts headers (like X-Powered-By) that tell attackers exactly what software stack you are running. That is intelligence you shouldn't give away for free.

helmet is a middleware suite that sets various HTTP headers to secure your app. It handles XSS protection, prevents clickjacking, and hides your tech stack.

const helmet = require('helmet');

// Place this at the very top of your middleware stack
app.use(helmet());

It takes seconds to install and closes a dozen security gaps instantly.

2. Brute Force Barriers: Rate Limiting

APIs get hammered. Sometimes it's a malicious botnet; sometimes it's a useEffect loop you wrote at 2 AM that won't stop firing. Without rate limiting, a single source can eat up all your CPU and memory (DoS).

Use express-rate-limit to set a boundary.

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per window
  message: "Too many requests, please try again later."
});

app.use(limiter);

This ensures that if someone tries to guess a password 500 times in a minute, they hit a wall before your database crashes.

3. Trust Nobody: Input Validation

Never assume the data coming from the client is clean. Browsers can be bypassed. curl doesn't care about your React validation rules. Users will send strange strings, massive JSON objects, and SQL injection attempts.

Stop writing manual if-else checks. Use a library like Joi or Zod. They let you define strict schemas and reject bad payloads immediately.

// Example using Joi
const schema = Joi.object({
    username: Joi.string().alphanum().min(3).max(30).required(),
    email: Joi.string().email().required()
});

// The request dies here if the data is bad

This keeps your controller logic clean and your database safe from injection attacks.

4. Silence is Golden: Error Handling

In development, a detailed stack trace is great—it tells you exactly where the code broke. In production, a stack trace is a treasure map for hackers. It reveals file paths, library versions, and internal logic.

Ensure your environment variables are set so Express knows to keep quiet.

In your .env file:

NODE_ENV=production

In your global error handler:

app.use((err, req, res, next) => {
  const statusCode = err.statusCode || 500;
  res.status(statusCode).json({
    status: 'error',
    // Only leak details if we are NOT in production
    message: process.env.NODE_ENV === 'production' ? 'Internal Server Error' : err.message
  });
});

5. Lock Down Access: CORS

Cross-Origin Resource Sharing (CORS) can be annoying to configure, so developers often set it to allow all (*). This is dangerous if you use cookies or authentication headers, as it allows any site on the web to talk to your backend.

Be specific. Whitelist only the domains that actually need access.

const cors = require('cors');

const corsOptions = {
  origin: '[https://www.your-frontend-domain.com](https://www.your-frontend-domain.com)',
  optionsSuccessStatus: 200
};

app.use(cors(corsOptions));

6. Check Your Luggage: Dependency Audits

The Node ecosystem is huge. You are likely pulling in hundreds of dependencies, and you didn't write any of them. One compromised package deep in your node_modules can open a backdoor.

Before deploying, always run:

npm audit

If you see red, fix it. Upgrading a library now is easier than explaining a data breach later.

7. Cookie Hygiene

If you use cookies for sessions, they need to be bulletproof. If an attacker can read your cookie via JavaScript, they can become your user.

Set these flags when sending cookies:

httpOnly: Prevents client-side JS from reading the cookie.
secure: Ensures the cookie is only sent over HTTPS.
sameSite: Protects against CSRF attacks.

res.cookie('session', token, {
  httpOnly: true,
  secure: process.env.NODE_ENV === 'production', 
  sameSite: 'strict'
});

Final Thoughts

Security is not a checkbox you tick once; it is a mindset. This list won't protect you from the NSA, but it filters out the low-effort attacks that constantly scan the web.

Take the extra hour to lock these down. Your future self will thank you.

Sociials.