Building a robust application is a challenge for every developer. Here are some best practices I follow in my projects.
Disable “X-Powered-By”
Issue:
Attackers can understand our backend information by reading the header X-Powered-By and they can find variability easily.
Mitigation:
✅ Remove the header by express disable method.
// ExpressJs const app = express(); app.disable('x-powered-by'); // NestJs const app = await NestFactory.create<INestApplication & Application>(AppModule); // import { Application } from 'express'; app.disable('x-powered-by'); // OR import helmet from 'helmet'; const app = await NestFactory.create(AppModule); // Use Helmet to enhance security (removes X-Powered-By automatically) app.use(helmet());
Remove the “Server” name from the header
Issue:
This header reveals which server software you are using (e.g., nginx, Apache).
Mitigation:
// Express.js app.use(helmet.hidePoweredBy()); // Nginx server_tokens off;
Prevent execution of eval
Issue:
Hackers can inject harmful code into your app. If they trick your app into running eval(), they can steal data or take control.
Mitigation:
✅ Use Helmet with CSP to block eval() in frontend
const app = express(); app.use( helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'"], // Blocks eval() and inline scripts styleSrc: ["'self'", "'unsafe-inline'"], }, }, }) );
✅ run Node.js with the --no-eval flag for strict enforcement or config on client
node --no-eval server.js OR in package.json "scripts": { "start": "node --no-eval server.js" }
✅If you have control of frontend files. add meta
<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
SQL Injection & NoSQL Injection
Issue:
Attackers can inject malicious SQL or NoSQL queries through unsanitized input fields, allowing them to read, modify, or delete database data.
Mitigation:
✅ Use ORM/ODM libraries like Sequelize, and Mongoose (to prevent raw query execution).
✅ Use parameterized queries instead of string concatenation.
✅ Sanitize user input before processing.
🔹 👎👎 Example of vulnerable code (SQL Injection):
app.get('/user/:id', async (req, res) => { const user = await db.query(`SELECT * FROM users WHERE id = ${req.params.id}`); res.json(user); });
🔹 👍👍Secure version (Using parameterized queries):
app.get('/user/:id', async (req, res) => { const user = await db.query("SELECT * FROM users WHERE id = ?", [req.params.id]); res.json(user); });
Cross-Site Scripting (XSS)
Issue:
Attackers inject malicious scripts into web pages, which execute in a user’s browser (stealing cookies, session tokens, or defacing the page).
Mitigation:
✅ Escape user-generated content before rendering it.
✅ Use security headers (Content-Security-Policy, X-XSS-Protection).
✅ Use libraries like DOMPurify to sanitize HTML input.
🔹 👎👎 Example of vulnerable code (XSS):
app.get('/profile', (req, res) => { res.send(`<h1>Welcome, ${req.query.name}</h1>`); // 🚨 If name = `<script>alert('Hacked!')</script>`, it will execute in the browser. });
🔹 👍👍 Secure version (Escaping HTML output):
const escape = require('escape-html'); app.get('/profile', (req, res) => { res.send(`<h1>Welcome, ${escape(req.query.name)}</h1>`); });
Cross-Site Request Forgery (CSRF)
Issue:
An attacker tricks users into making unintended requests (e.g., changing passwords, or making purchases) without their knowledge.
Mitigation:
✅ Use CSRF tokens (e.g., csurf middleware in Express).
✅ Use SameSite cookies to prevent cross-origin requests.
✅ Confirm sensitive actions with re-authentication (e.g., password re-entry).
🔹 Example of CSRF protection using csurf middleware:
const csurf = require('csurf'); app.use(csurf()); app.post('/update-profile', (req, res) => { res.send('Profile updated securely'); });
Authentication & Session Hijacking
Issue:
Weak authentication mechanisms allow attackers to steal user sessions or log in as another user.
Mitigation:
✅ Use strong password hashing (bcrypt, Argon2).
✅ Enforce multi-factor authentication (MFA).
✅ Use secure session cookies (HttpOnly, Secure, SameSite).
✅ Implement rate limiting to prevent brute-force attacks.
🔹 Example of secure password hashing in Node.js:
const bcrypt = require('bcrypt'); const hashPassword = async (password) => { const salt = await bcrypt.genSalt(10); return bcrypt.hash(password, salt); }; const verifyPassword = async (password, hash) => { return bcrypt.compare(password, hash); };
Broken Authorization
Issue:
Users can access unauthorized resources due to improper permission checks.
Mitigation:
✅ Use Role-Based Access Control (RBAC).
✅ Enforce strict API authorization rules.
✅ Never trust the req.body or req.user.role without validation.
🔹 Example of enforcing authorization:
const checkAdmin = (req, res, next) => { if (req.user.role !== 'admin') { return res.status(403).json({ error: 'Unauthorized' }); } next(); }; app.delete('/admin/delete-user', checkAdmin, (req, res) => { res.send('User deleted'); });
Security Misconfigurations
Issue:
Exposing default credentials, stack traces, unnecessary services, or using outdated dependencies.
Mitigation:
✅ Disable stack traces in production (NODE_ENV=production).
✅ Use environment variables instead of hardcoded secrets.
✅ Keep dependencies updated (npm audit fix).
✅ Use helmet middleware to set secure HTTP headers.
🔹 Example of using helmet for security headers:
const helmet = require('helmet'); app.use(helmet());
Denial of Service (DoS) & Rate Limiting
Issue:
Attackers send massive requests to exhaust server resources, causing downtime.
Mitigation:
✅ Use rate limiting (express-rate-limit).
✅ Implement request validation to block large payloads.
✅ Use load balancing & caching to distribute traffic.
🔹 Example of rate limiting:
const rateLimit = require('express-rate-limit'); const limiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100 // Limit each IP to 100 requests per window }); app.use(limiter);
If you are using NestJs, use Throttler
Limit payload size
The larger the request payload, the harder your server works to process it. Attackers can exploit this to overload your server with fewer requests (DoS/DDoS attacks).
Limit the request body size at the edge (e.g., firewall, ELB) or configure the Express body parser to accept only small payloads.
Otherwise, your app may struggle with large requests, slowing down important tasks and increasing vulnerability to attacks.
// Express app.use(express.json({ limit: '300kb' })); // nginx http { ... # Limit the body size for ALL incoming requests to 1 MB client_max_body_size 1m; } server { ... # Limit the body size for incoming requests to this specific server block to 1 MB client_max_body_size 1m; } location /upload { ... # Limit the body size for incoming requests to this route to 1 MB client_max_body_size 1m; }
Avoid Evil RegEx
Regular expressions are useful but can be dangerous, especially in JavaScript and Node.js. A poorly designed regex can consume excessive CPU, potentially blocking the event loop for seconds and overloading the server.
Use third-party validation libraries validator.js instead of custom regex patterns. If you must use regex, check for vulnerabilities with safe-regex. This helps prevent performance issues and security risks.
Add Neccisory headers for more security
Strict-Transport-Security (HSTS)
Forces the browser to only use HTTPS, preventing man-in-the-middle attacks.
// Express app.use(helmet.hsts({ maxAge: 31536000, includeSubDomains: true })); // Nginx add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
X-Content-Type-Options
Prevents browsers from MIME-sniffing files as a different type (e.g., treating an image as JavaScript).
// ExpressJs app.use(helmet.noSniff()); // Nginx add_header X-Content-Type-Options "nosniff";
X-Frame-Options
Blocks clickjacking attacks by preventing your site from being embedded in an <iframe>
app.use(helmet.frameguard({ action: 'deny' }));
Referrer-Policy
Controls how much referrer information is shared to prevent leaking sensitive URLs.
app.use(helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' }));
Permissions-Policy
Restricts access to APIs like camera, microphone, and geolocation
app.use( helmet.permittedCrossDomainPolicies({ permittedPolicies: 'none' }) );
If you want to dig deep, follow this link https://github.com/goldbergyoni/nodebestpractices/tree/security-best-practices-section#-65-collection-of-common-generic-security-best-practices-15-items
Conclusion
Thank you for reading my article! While we can’t make anything 100% secure on the internet, we can still make our apps safer. Using these settings helps reduce risks and improve security. I think every developer set up this when they set up the project.
