Facebook Pixel

What security headers should you set in Express?

Use helmet() for all headers, or set manually: X-Content-Type-Options (nosniff), X-Frame-Options (SAMEORIGIN, prevents clickjacking), Strict-Transport-Security (HSTS, forces HTTPS), Content-Security-Policy (restricts script sources), and X-XSS-Protection.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in Node.js Security Interview Questions Authentication, Injection, and Best Practices

Sign a JWT with user ID using jwt.sign(), store in an HTTP-only cookie (secure: true, sameSite: 'strict'), and verify on each request with auth middleware (jwt.verify). HTTP-only cookies prevent JavaScript access (XSS-safe). Never store JWTs in localStorage.

NoSQL injection occurs when user input like { $gt: '' } is passed directly to MongoDB queries, returning all documents. Prevent with express-mongo-sanitize (removes $ and . from req.body), validate input types, and use Mongoose schema validation.

Never store plain text. Use bcrypt: genSalt(10) for a random salt, hash(password, salt) for the hash, and compare(inputPassword, storedHash) for verification. bcrypt is deliberately slow (resists brute-force) and uses salts (prevents rainbow table attacks).

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.