How do you store passwords securely in Node.js?
Never store plain text. Use bcrypt: genSalt(10) for a random salt, hash(password, salt) for the hash, and compare(inputPassword, storedHash) for verification. bcrypt is deliberately slow (resists brute-force) and uses salts (prevents rainbow table attacks).
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Node.js Security Interview Questions Authentication, Injection, and Best Practices
Sign a JWT with user ID using jwt.sign(), store in an HTTP-only cookie (secure: true, sameSite: 'strict'), and verify on each request with auth middleware (jwt.verify). HTTP-only cookies prevent JavaScript access (XSS-safe). Never store JWTs in localStorage.
NoSQL injection occurs when user input like { $gt: '' } is passed directly to MongoDB queries, returning all documents. Prevent with express-mongo-sanitize (removes $ and . from req.body), validate input types, and use Mongoose schema validation.
Use helmet() for all headers, or set manually: X-Content-Type-Options (nosniff), X-Frame-Options (SAMEORIGIN, prevents clickjacking), Strict-Transport-Security (HSTS, forces HTTPS), Content-Security-Policy (restricts script sources), and X-XSS-Protection.
Still have questions?
Browse all our FAQs or reach out to our support team
