How to Implement Security Best Practices in Node.js

Install and apply the helmet middleware at the top of your Express middleware stack. Helmet sets several security-related HTTP response headers automatically including Content-Security-Policy to prevent XSS, X-Frame-Options to prevent clickjacking, Strict-Transport-Security to enforce HTTPS, and X-Content-Type-Options to prevent MIME sniffing. These headers are invisible to users but significantly reduce attack surface.

Never trust data received from clients. Validate every piece of input against expected types, formats, and ranges before using it. Use a schema validation library like Joi or Zod to define the expected shape of request bodies and validate against it. Reject any request that does not conform to the schema with a 400 response before the data ever reaches your business logic or database.

SQL injection occurs when user input is concatenated directly into SQL strings, allowing attackers to manipulate query logic. Always use parameterized queries or prepared statements where user input is passed as separate parameters, never embedded in the query string. ORM libraries like Sequelize and Mongoose handle parameterization automatically, but if you write raw SQL queries, use the parameter binding syntax of your database driver.

Never store plaintext passwords in the database. Use bcrypt to hash passwords before storing them. A bcrypt hash includes a random salt automatically, meaning the same password hashed twice produces two different hashes, preventing rainbow table attacks. Use a work factor of at least 12, which means bcrypt runs 2 to the power of 12 hashing rounds. Use bcrypt.compare to verify passwords during login.

Cross-Origin Resource Sharing controls which domains can make requests to your API. Install the cors package and configure it with an explicit allowlist of trusted origins rather than using the wildcard asterisk which allows any domain. Specify which HTTP methods and headers are allowed. Configure credentials: true only if your API uses cookies and list only the specific trusted origins that need cookie access.

Mass assignment occurs when you directly spread req.body into a database update operation, allowing attackers to set fields they should not control like isAdmin or accountBalance. Always explicitly pick only the fields you intend to update from req.body instead of spreading the entire body. Define a whitelist of allowed fields per operation and ignore everything else.

Cross-Site Request Forgery tricks authenticated users into unknowingly submitting malicious requests. Protect state-changing endpoints using CSRF tokens. Generate a unique token per session, embed it in forms and custom headers, and validate it on the server before processing any POST, PUT, PATCH, or DELETE request. The csurf package handles this for Express applications. APIs using JWT in headers are naturally protected because browsers do not send custom headers in cross-origin requests by default.

Third-party npm packages are a major attack vector. Run npm audit regularly to check your entire dependency tree for known vulnerabilities. Configure your CI pipeline to run npm audit and fail builds when high or critical severity vulnerabilities are found. Use tools like Snyk or Dependabot to automatically open pull requests when vulnerable dependencies have patches available. Keep all dependencies up to date and remove unused packages.